dc53ddce0a3825553dfa2372eefdf850fa36448e3062fbb674be172a6e496fa1

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 10:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
Size

4.6MB
MD5

fe6bf59f7d505b1ac06d9555dbfad07a
SHA1

88b1c8ebda789c839ec54248de302118604ff064
SHA256

dc53ddce0a3825553dfa2372eefdf850fa36448e3062fbb674be172a6e496fa1
SHA512

34fe957de5ebebe1141861cdc86529585b4695293784f8a83263ae6f5901ad5f2588bd21af6b7474360ea3aba4308b14d939a03238574d1cc7e5e73d28c38278
SSDEEP

49152:6ndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGV:w2D8siFIIm3Gob5iEE70uMhSBrkNq

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
5032	alg.exe
3648	DiagnosticsHub.StandardCollector.Service.exe
1848	fxssvc.exe
4228	elevation_service.exe
544	elevation_service.exe
3356	maintenanceservice.exe
4580	msdtc.exe
1576	OSE.EXE
4376	PerceptionSimulationService.exe
4324	perfhost.exe
888	locator.exe
3636	SensorDataService.exe
2552	snmptrap.exe
4660	spectrum.exe
2376	ssh-agent.exe
5108	TieringEngineService.exe
1988	AgentService.exe
1188	vds.exe
3076	vssvc.exe
5140	wbengine.exe
5372	WmiApSrv.exe
5516	SearchIndexer.exe
5660	chrmstp.exe
6096	chrmstp.exe
5228	chrmstp.exe
6012	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\96ac0c1677bb1a71.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000033507ffe8fcfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007db0a0fe8fcfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001c8a99fe8fcfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ea9f6efe8fcfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db2113ff8fcfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005913a3fe8fcfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000603b8bfe8fcfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133647356259916581"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2168	chrome.exe
2168	chrome.exe
1052	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
1052	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
1052	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
1052	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
1052	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
1052	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
1052	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
1052	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
1052	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
1052	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
1052	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
1052	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
1052	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
1052	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
1052	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
1052	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
1052	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
1052	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
1052	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
1052	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
1052	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
1052	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
1052	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
1052	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
1052	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
1052	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
1052	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
1052	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
1052	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
1052	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
1052	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
1052	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
1052	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
1052	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
1052	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
5884	chrome.exe
5884	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2548	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
Token: SeTakeOwnershipPrivilege	1052	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
Token: SeAuditPrivilege	1848	fxssvc.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeRestorePrivilege	5108	TieringEngineService.exe
Token: SeManageVolumePrivilege	5108	TieringEngineService.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	1988	AgentService.exe
Token: SeBackupPrivilege	3076	vssvc.exe
Token: SeRestorePrivilege	3076	vssvc.exe
Token: SeAuditPrivilege	3076	vssvc.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeBackupPrivilege	5140	wbengine.exe
Token: SeRestorePrivilege	5140	wbengine.exe
Token: SeSecurityPrivilege	5140	wbengine.exe
Token: 33	5516	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5516	SearchIndexer.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
5228	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 1052	2548	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe	82
PID 2548 wrote to memory of 1052	2548	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe	82
PID 2548 wrote to memory of 2168	2548	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe	83
PID 2548 wrote to memory of 2168	2548	2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe	83
PID 2168 wrote to memory of 2084	2168	chrome.exe	84
PID 2168 wrote to memory of 2084	2168	chrome.exe	84
PID 2168 wrote to memory of 4484	2168	chrome.exe	93
PID 2168 wrote to memory of 4484	2168	chrome.exe	93
PID 2168 wrote to memory of 4484	2168	chrome.exe	93
PID 2168 wrote to memory of 4484	2168	chrome.exe	93
PID 2168 wrote to memory of 4484	2168	chrome.exe	93
PID 2168 wrote to memory of 4484	2168	chrome.exe	93
PID 2168 wrote to memory of 4484	2168	chrome.exe	93
PID 2168 wrote to memory of 4484	2168	chrome.exe	93
PID 2168 wrote to memory of 4484	2168	chrome.exe	93
PID 2168 wrote to memory of 4484	2168	chrome.exe	93
PID 2168 wrote to memory of 4484	2168	chrome.exe	93
PID 2168 wrote to memory of 4484	2168	chrome.exe	93
PID 2168 wrote to memory of 4484	2168	chrome.exe	93
PID 2168 wrote to memory of 4484	2168	chrome.exe	93
PID 2168 wrote to memory of 4484	2168	chrome.exe	93
PID 2168 wrote to memory of 4484	2168	chrome.exe	93
PID 2168 wrote to memory of 4484	2168	chrome.exe	93
PID 2168 wrote to memory of 4484	2168	chrome.exe	93
PID 2168 wrote to memory of 4484	2168	chrome.exe	93
PID 2168 wrote to memory of 4484	2168	chrome.exe	93
PID 2168 wrote to memory of 4484	2168	chrome.exe	93
PID 2168 wrote to memory of 4484	2168	chrome.exe	93
PID 2168 wrote to memory of 4484	2168	chrome.exe	93
PID 2168 wrote to memory of 4484	2168	chrome.exe	93
PID 2168 wrote to memory of 4484	2168	chrome.exe	93
PID 2168 wrote to memory of 4484	2168	chrome.exe	93
PID 2168 wrote to memory of 4484	2168	chrome.exe	93
PID 2168 wrote to memory of 4484	2168	chrome.exe	93
PID 2168 wrote to memory of 4484	2168	chrome.exe	93
PID 2168 wrote to memory of 4484	2168	chrome.exe	93
PID 2168 wrote to memory of 4484	2168	chrome.exe	93
PID 2168 wrote to memory of 2124	2168	chrome.exe	94
PID 2168 wrote to memory of 2124	2168	chrome.exe	94
PID 2168 wrote to memory of 3884	2168	chrome.exe	95
PID 2168 wrote to memory of 3884	2168	chrome.exe	95
PID 2168 wrote to memory of 3884	2168	chrome.exe	95
PID 2168 wrote to memory of 3884	2168	chrome.exe	95
PID 2168 wrote to memory of 3884	2168	chrome.exe	95
PID 2168 wrote to memory of 3884	2168	chrome.exe	95
PID 2168 wrote to memory of 3884	2168	chrome.exe	95
PID 2168 wrote to memory of 3884	2168	chrome.exe	95
PID 2168 wrote to memory of 3884	2168	chrome.exe	95
PID 2168 wrote to memory of 3884	2168	chrome.exe	95
PID 2168 wrote to memory of 3884	2168	chrome.exe	95
PID 2168 wrote to memory of 3884	2168	chrome.exe	95
PID 2168 wrote to memory of 3884	2168	chrome.exe	95
PID 2168 wrote to memory of 3884	2168	chrome.exe	95
PID 2168 wrote to memory of 3884	2168	chrome.exe	95
PID 2168 wrote to memory of 3884	2168	chrome.exe	95
PID 2168 wrote to memory of 3884	2168	chrome.exe	95
PID 2168 wrote to memory of 3884	2168	chrome.exe	95
PID 2168 wrote to memory of 3884	2168	chrome.exe	95
PID 2168 wrote to memory of 3884	2168	chrome.exe	95
PID 2168 wrote to memory of 3884	2168	chrome.exe	95
PID 2168 wrote to memory of 3884	2168	chrome.exe	95
PID 2168 wrote to memory of 3884	2168	chrome.exe	95
PID 2168 wrote to memory of 3884	2168	chrome.exe	95
PID 2168 wrote to memory of 3884	2168	chrome.exe	95

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-07-06_fe6bf59f7d505b1ac06d9555dbfad07a_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffae097ab58,0x7ffae097ab68,0x7ffae097ab78
    3⤵
    PID:2084
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1916,i,11122491214478346595,1219504259530618124,131072 /prefetch:2
    3⤵
    PID:4484
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1916,i,11122491214478346595,1219504259530618124,131072 /prefetch:8
    3⤵
    PID:2124
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2160 --field-trial-handle=1916,i,11122491214478346595,1219504259530618124,131072 /prefetch:8
    3⤵
    PID:3884
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3024 --field-trial-handle=1916,i,11122491214478346595,1219504259530618124,131072 /prefetch:1
    3⤵
    PID:4076
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3032 --field-trial-handle=1916,i,11122491214478346595,1219504259530618124,131072 /prefetch:1
    3⤵
    PID:4348
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4368 --field-trial-handle=1916,i,11122491214478346595,1219504259530618124,131072 /prefetch:1
    3⤵
    PID:468
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4656 --field-trial-handle=1916,i,11122491214478346595,1219504259530618124,131072 /prefetch:8
    3⤵
    PID:5976
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 --field-trial-handle=1916,i,11122491214478346595,1219504259530618124,131072 /prefetch:8
    3⤵
    PID:5152
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5660
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:6096
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5228
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:6012
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 --field-trial-handle=1916,i,11122491214478346595,1219504259530618124,131072 /prefetch:8
    3⤵
    PID:5668
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1580 --field-trial-handle=1916,i,11122491214478346595,1219504259530618124,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5884

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:5032

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3964

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4228

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:544

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3356

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4580

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1576

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4376

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4324

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:888

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3636

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2552

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4660

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3344

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5108

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1188

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3076

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5140

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5372

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5516
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6120
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c58d2e5ad70eb5aa9109bd980e1fd8a9

SHA1
b2b33847705e4a664bd48df52d9c752e18153908

SHA256
f0f4e8c00b7bf946163fe73a80c034bd100556880bb6a5795f9c4eed3b109007

SHA512
7733d4edb12a00a2b34fafa3424b48b69704bd55fae776e0ab5d55ce20294ffbfb13bed7ece9eb5970473d5282853cf43b95988c52a50b033bafdc37533cbccf

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
9a8ac30a0f0c26a4e1a84ab86558c7c4

SHA1
7914551b98e844c0402417b8d4f002f8cdcf3425

SHA256
231bcfd06a247297cdf5e88fb2c1ee70a764de040482d659804cbb4822503da2

SHA512
b322d8382a152d4b316efae690a060715a6c86a749754b6620787b22d493307018687fe1f633864fcd5c74e57e7b0e115af662d3fa62f93f9d2c9ea9aabfe41c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
c5e7731c607893cd7b50d6d1c5d12cd1

SHA1
fd2f4b63a5cb4db2d97505d26f64b9b0d0a802af

SHA256
53162042e1eb626c9321938ea42f550c659c22e6852014ad87ff0ccdc10d46ad

SHA512
3c0ecc1b6fa61e884b0dd7802a0e67d6319b5e504cc99684b1dbe0159d3a7a0ce7ada0fc84dde40b7e6750a30476168bf740dbd40e5b818651c2e9752826d25c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b6524ee80cde195a5a4a7a3cb31265e9

SHA1
dbd1a0a2308288ccb4f39ac438bb4caba8aed395

SHA256
cddbcef1924c76d7996e53ca72d2053d1c2c7f910889edf3994a24969197b205

SHA512
dff1ae58b46cc1879298a331b120542c88381141c809765ada73a0db6ae81e025a59e0afe361290dc50b55faa81c7f3f1d9a9233d9fc5f6af7156835dd32459b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
f893a33fa600b447197508e0037d7fbc

SHA1
217e50e17a47cfe6a4096337d2c078ce31e61ae0

SHA256
3d68d5599b75cf6397b493f79ae491250bae0ed66b2427dfecc1a33bb3e12261

SHA512
cc66c598f2bfc6b20d963e53bedd2b17860fd69682a1d49ea7ec1027732eba19efac875700a427e21f9d16d0a2da2bdc959dd81c23ae1aac8623c5be1ad72b84

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
6010c4ac02908eaba231b51e5c468de2

SHA1
e5d482a3e4cc4ae464df58b1c701a456cb7afdbe

SHA256
a7e966d1a54d925b6e398d62662dab3811bb1ebf3c6be6a7af531bb033d506a6

SHA512
00812f15f2172f126d56a9d9726a66c65333f87a943ff6b31dc1858536b4baea0ef59d016bcd173a16b04a4787fd7e3fa63ec65133d88f010f3dc5b5db70ba6a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
09ce1a2c065b6a27c95bf7fb378e88b8

SHA1
0f6ecf22695d75f3722e216bab9124d957314ee9

SHA256
831f73ab803c7d8bc0b9570fc0a6fbc9a3045af10ad0468dd9a863aa4d7155df

SHA512
e21d85d285d92cbcfc7bf7d9bf866e27a8e993f54605ea211590302a799d245d4f53a78fbfb433a7c2dc45ea9d52c0d04b72934a60b985aa7d516696dbaaaac2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
f2b14f4e9d5572137263c59f61ee505e

SHA1
a2de56b44e49bd18f89487042322d804b6d1ab28

SHA256
0d5f88b6cfff0f9dcdd026a6bdd3556b608c8f7a894ca11474bd16be72189fbc

SHA512
745d34b15cb073b6e2ad6ac000ecd74882367773682a476885ed150d6fea2d454b42712be9ee12582c9f581d74d810cd42f2b80cb4ebd26fa63a10f6a6c304f2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
839ca63ce598f1165bb6936053afe3cd

SHA1
7b3639c5cd17cad5baa846d0402bc8e19d53d6d1

SHA256
9624e75101ab4deac5c912b39bbbcfdc0127ddf753dd3cbfa531d7b312d47e14

SHA512
82bb9400988507404a573980fa6303f1a66b3e5ef43dfae7e9858ec8fd53b2546513ec9f8652355dbfd782f573e03f8efa1cbddf7a9ae5a316fce2f9fda10bc3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
afeda5f5a8bb43213b5298ac4f37bb5e

SHA1
115c3b23cd0c15edb18a8446240a7f6423d81539

SHA256
932186454a64dfccdf03c6f7dc817a368a05d95c54c7372c8690210618e1bbbc

SHA512
4aef864845489433e86b6cd3f683f76b030d78ac275bbef825b1ce94755a02e38ad865251b1501884a0965bb72e7afc559bb920f3fde9090188b6e31e8566e39

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c478212f1408e94b75ebaa38c6aac15f

SHA1
46762b3db8ea76eefc42ca255bf6c591bb5dd19a

SHA256
55ffe3c751398c7c33fd9be50e0cf53727cd61bd2a1bb7a54539311d8ecd71e7

SHA512
611a79675673c868c4c1adca6043dc1e73a62757ebe7278e4cee19eb708b9c1ccaeec22264be90ac8ad57fa8a3ad7e38f2050df3c8b08a1e9e392e9e77ad98c4

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
5863cf46bbdd12d0d6c4be4a25b2c2e9

SHA1
98ea77a9c5fe520e4e6222ee6520fca8fc94f1a4

SHA256
fde0b002f16477a70bcbb12b07f0d0a01bfdf1a7128ff3c5fed935538929084b

SHA512
783bc1294a97ea5a5c050f44d53cb57bdc5bace69eda92f781dbda03e7eb35d842849b40a65c79190be99e88bdc37132fc8014f63949bc623a1bc979bfe34252

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
68adff7a044d841669def0254e136ca2

SHA1
ead76ff52687a35db361b2a222e3253c72e2db30

SHA256
9d79cc4395cedc575aa50424dac17b08d4323c1a056b83e819d20ce5cccf33fe

SHA512
5ebb3031aeb4833209422a936c006b7dc7f5bc2fde398ae49b9662f50d97b6170c634144fa8de04af5cd4e261671d7dae548b9109909b9b329ae748417c5a792

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
3024c3e6df9561c916c88b2a30b0fa08

SHA1
d4ca5eb44d7ae35695d0c8115c8e32506350d8e8

SHA256
bf40d093a8a5fcab43b3f075fcdd9388f1b8b0840e0db5373e6adba7eac2f11b

SHA512
9c5176e7d6dfbe6de50ef3684dd5dc2793ef24402b013b6d2766ab42fd57f4ec783a669d1696b068138d18fc6bdc66da52b85d18e25dc0b6b106a2eadfce95f4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
a8f1dbf6de869a83ba6af1104edbfa2a

SHA1
9f5a97ee3bacbc6fd914b1cf946a9e545e8be8fa

SHA256
53ecdcf60f72d9bfa69cad4e41bb89dfe64f7e912b9cd2c1c9686a2074743c24

SHA512
a246ad27411c38b180626b22419640edb09e2e7a7ade3c0b4552dfc8fb1a1f3134d8e67ad2de7e98720784c20d58a1a7851bdc8593a9063892709443da2ff71b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
0147b2f96ac29a18c13d8f2537b417b0

SHA1
b7f4811500e5e4ccac559854415a290e05771b9f

SHA256
887b37ffad2c1d045e9b5826859edcfef6c44ef89e0b2dfd4064ae1147e9a6b5

SHA512
f09d6a41c18799b9a20c9c4ec827c07be8454846613caa30fed95cd3dc8a54887371dd9d13b67a1bfcecc14eedf3ccd0687eec8bbfe3ebf62564fa69b8b60413

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
2c494ff7826a92d18eb54e7212968355

SHA1
339cad02d2d51a60bf74b146d74cf35154bf3292

SHA256
4865693a334ef0a7e5148bef4918af50fe8f35da2560485cb48720c4d148482b

SHA512
0ab85a4bf105027ef2cf3c1374ab9d30e8ba014c3952edcddb1ed479b6dd4a852222b7712f0b051a8836142ec15dd076ec50a6131af3def7f2808be5ec56b7b7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
1a61c2ba34a7f61bac3e6484f3ef0af8

SHA1
feae2c7adf5d635e1edfeb6fa91963cd21d1f34f

SHA256
ca9ca116c58abb201102b754a2a918aa0a9c6a1b5887b0c6782256af51487a16

SHA512
ffaee4cf902514e8d5978196662049435b7db5d66577f31a4e7ec189fb642c4154d766d0b2b5795cb5818c7ae9e2bccc335f4ecf52bfaf4fb79e5c86c3f57f32

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
439e26b9ff653754ecb1b4a3c2334b59

SHA1
e6c70496e1891e4199b599f0d92a5d88ed05d668

SHA256
69fd189ed41e5f5b2928e41ca5d3d329159f0124f2780b10eee6180fbe694442

SHA512
5e4dbedd767bb91e1f183d34adb518e5d6cd3bfd95f9923d5e302cdd7767ff4225e11e5cf15420fb42d1a2a178eca8582d940a5880833421a90373b700631895

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
ca97635dc823fd24d2d440b9bc5ebcbf

SHA1
f511543a390105e17c5a77e63753a27e6cb24b60

SHA256
687546d8e6b3c26a82cc37f66b7b5ee293ae1e6a475a0337854857ee53018fea

SHA512
2497d3ddfbc494b4c68a7bb2fce548268bdab6d613c9afa81c61a1b1858cf77b17a8544564ae7449c3b42e5df68feee700ba6c989376516826dfb79780e871d0

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
613acad4ae6237e1d0a1004e10516e33

SHA1
65554e733b7b7646f8b2846e63e45e477c101cb4

SHA256
a8f5d8917aa12f101f36460d8aa0f253f276b4b47c61955359364014fcca85a9

SHA512
61109f5994b8212367d2e1046d77525c825a1c07502769d95c52d81eb248e11e7729f4074cd4ae0535aa52815b5a9651db8082079ba45d782f2ebd55008cba30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
e5a937786ae47cfec6ff26fab41aff58

SHA1
7c03de4eb02c588b25d41afec9fafff445071642

SHA256
0ee69c2b77bc1eb4bd0c25523d602b4e5cd3b0b9320072b455c58c208eb644fd

SHA512
8eba2af6710762d6bae633116237aa7f7735a95a66fedadbc3c90ba71766597fb36ecfae7515cc7da62916629da50c18d3b61f7beab2048df2bc8aa6a78103b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
153906ffeb98303247516214e0f7862c

SHA1
f36ac20b781ad4311842238017815063074ca9db

SHA256
de3db8b7c947bf364bdb254b80021fd6625ba6104dd886f1f466fe715eaed9b7

SHA512
dfb129a0cc971483615ef294a196be6651631ebe7fb8a3bd58e0c7f4890e3845d894e9d800207be76f26ce38ebe84e75a71029ce408c56f5ac8d0a4f363f16ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
9fb72ecbc1b15288b3e6fe15701fca64

SHA1
1a7c1187e699cee39951adfa82b17b4184ecb3f8

SHA256
98545e29db341ad6e6be7d51fbbcbefa877a65c3277eb30571530245dee89d9d

SHA512
6c7070f40ff076f953d7fe29ebe67c1d4ffe18be84fe20e50c70c72e5ed66154a0bb89816cdd8e55e7d80683b7971b9a694c437690f7146da9743a3eb6f820e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e6336f49b91e15d78654f21c8be07574

SHA1
e07ace3b9224711f80509cf6bc469dd69b178040

SHA256
eb438f568db855f4cc62841087786421980b8a26d97b7ff4ad8736f0cc7c3a98

SHA512
4db652114a7f4e528271b2240f52a5583cc0664205a2eb2fcbf1dccda3000cea09f3eae70fe10941c133de8ae4b37be9d6d078ece64ecaf017caa960d84cb706

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe579069.TMP

Filesize
2KB

MD5
5199ce6d5829df569af7b3887bdd5792

SHA1
29fdf71e3b9e6137e5b950a6e350138b578ad0ff

SHA256
ccde8f98190df126875d98b12d95d9bec1c1c3c8b044191b157393a895b14076

SHA512
23dbad8794fa67a75f71ea5fe1cb74463222667a2e012409643023d03973698b22a1186a0557582aa591e4c1f5f5b90c54c33ed20982122052eec0f721bbfd28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
9791f456e96541c66dee7f8f6f372ec0

SHA1
e580ee164bdd9c759be7e84f9747c18d7b6e15cb

SHA256
09a9590d68626e872d54d62130e7ed77646acba1c9784b6d9dd225ec3a762a8e

SHA512
74c05c163b2a13303c456f476cc344ba45fddfd4f41f04e7c86a1842bc3ca413166161701ae60f4cd12a1469a698375529d45f6de9a707b770de24bb0d3382ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
285KB

MD5
f702abea745de2f0eb444624199e0379

SHA1
c1b5897a2e17016f7a181e61f576cd52b29ced22

SHA256
3617d213361de8814a8ac8c0822fa08b5512e604335d5caa0bc67865c7c09dc0

SHA512
a7b5d4eb26cb04b7f86facdfc2c0f374589683c59c277ad0cf0042f2a0ccfa06851241f36d5f3d28f12a347e870c983ecd6a4258e31f4761c870ed1b640ae68c

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
3818fec2ceee2758cbc2ff7bca6f5962

SHA1
39b00283dd2cdc22e9f065e8b0fe7d22c86c9443

SHA256
fa21f0fdf8467eda162011237e8529ab910d03a4407b1b9d8094cdcb722ad438

SHA512
2525ac88f1369b067216a48e276d7ef0ba35ef481ac2bf3cbe819f1be17d074f80506cf4276c52743dfdc2fe8bd146d8d7c4c6edf147caa75f6395b4d25345ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
abe8462ab44c9f980687f3e36f265b76

SHA1
d0eaff9753ec5322f9bbd567ade9edb0969b2703

SHA256
7d184ccdd1cc40d2d01cac49a6e96f0557b4d617b73a05733174b513d01d0571

SHA512
d8d342b47f5695bfeb7055c2f900ef47e88ff90fe8eaf800320c86436c3c990e3963e3999271359ee70e9e666f7c468d6f1ee54b45c8d1dbe9d12677e9ba4500

Download Submit
C:\Users\Admin\AppData\Roaming\96ac0c1677bb1a71.bin

Filesize
12KB

MD5
48771ac192ae7438235ae0c23f355e43

SHA1
7575f89eeb033785fffb1b76d29c37b49156072b

SHA256
f7c01b8c06cbb75c54a41a7ed73339b175112c68621597dd67dcafaea48cc051

SHA512
fff5a8901113c90703b4df64b2e1f5360f64366933c637f2a8e40ada7d2f935541be08776ad0b0d63443a11713e3733e634f489f6b999ab7541ad2cda6caa90b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
1ccb4c1646ea66ae5cc1f0cbc978824b

SHA1
94617a9637d0525f15f068d4ebfdc112f631192c

SHA256
ebd4b84514858463c8c8e9e251d0f86bb4e3d90132ec601e2e48701528e34ec7

SHA512
5153ae8a10c7e871381496e4979caf5dea839ffcbac9309ed9037160a2d27cc24ac729347bff8a722da7c2c65b8962cf5901fa03467dfd206749db629a4d14b9

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c6264cc7e9c1109cabf038c1abbc8673

SHA1
de53de2978613376e6333677eb3f34c0f0f8eb74

SHA256
8453af184fafa612f289602cb2e8ffcf85b5439633100f1f4ad67d586005e582

SHA512
65dfc59ae931a8f9b7b90ba35a111ef02bde2379c445c367613134a08cce16ba6c70fab16bd557915dc9328ecde98b2ce8d44e148a807367e83b4892ddad2677

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
38a4db8042bfffd218fcfeedcda04b59

SHA1
692534059d1a63574d15f05436357f2a5285afc8

SHA256
783a9f8aea76a9c2809a70c68ec62fcaee51aa873aea580b535ec1e96e24ed51

SHA512
916da05551fb43954057d16b670ff5cfe9ef1b74144dd5c655de817af2d572c97b1222441aea9e4e37437d817477e9e4174a5f954d2c698d8004f7dc82157bc1

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1bd39d1ae27ea86fc24244ad7f2a0738

SHA1
a10e5b3acaa7a07cb6c09a8adb57bf78a5e2fdd1

SHA256
44df9d13118981307425819cb1e81bf41f77f9d1d8bb5e5a4186ea83e561c719

SHA512
d6271d9e6bf5aa01b4754a55d3a0bf4a2e83687ed9ce138238c54b0bd8b9028bc4d6f8b99faf74d527ef95eee46078d4e4815bcfe3e8c787ec27e7478147a1a1

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
03c3adc7b7c6994e4968a4e2229985cc

SHA1
1f5c65024d06b45a2864a2d9954d31db8bce3b74

SHA256
3f434855d7dff360d52e98840b33a7050d8446de8acb3e133e6995db71adf906

SHA512
45aa341a43e9be43d14b67c0b7fa7d816ac244e18f585b801a405acb39c0aff26653509096dd0d0c595da6afd43aa535512fc0f9cf644deaa67fd2fa48c42df3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
0e852501f0101e8850212fbe7adde482

SHA1
f2129d849782b3adb60aba25e902b69217474803

SHA256
c89836ea8e8fb7734d2958d6e90859f1e4ac7ddd8cd9dff2067ed6e22a5edd0f

SHA512
ee196933ec5f681fe1a5afbdb986a00fc585f7d4aab4395799b4ac7b70780b77ce61ebff8e48c92bce8400463ba845bf2d08daf2d1612b4365f10f67c442cc9c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
f358be26f61a96b05fee69ca43ea6739

SHA1
e0afb437d6a6025caf6b7a12d539bf5f473145eb

SHA256
9f912a8362dde47864699b1b66b694036cd1a2c9a16d317043b2f6dee556516c

SHA512
ad440c37240b8f36c2aafd348c70bb5d34c0c136275f97017314f4e0199add7ff982163bf5a95b1351e5ee10c1cd7640f70205b116a23b1fca1aee7862efbb30

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c54e57056ddb2b5cebb024af8564a792

SHA1
8b934b29323d264edaa496df6f7b66c45716fb09

SHA256
d26eba8680f64b5295216389d0dc8513c0ee862a723d7842f160c233a4ad5d2c

SHA512
423edf33388add7d651b4e54774c245e07d0029c9880510e5d858231fca4438277a1e941b5186215ffd548a75a504503dd0b060db7d3703d39e5240b52476923

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
47e5a60666fc551779bda54832446a7e

SHA1
53da1d4750e4d640b225979bd9cb69c49be65a92

SHA256
646307dc284e44ca15f63dab074deecc484ad09c088fb1a93500833e6e8bb0ff

SHA512
e30b056ff22ce1aab3ff40bc00fca9af7e63503f3c642d3ae6b502d5a71704604c079d90c1002d43d525efcef459a2dc446f464661cd0b8b80055494bb17a41c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a22ac3a5427f0e26fe281a957395d527

SHA1
88b837585def4f127034b27cd1040fd1b0f5e580

SHA256
7fb006c584af32f68ea0b4b094262bfd43dbe53140b627df43e09df7d20b02a3

SHA512
caf6b6310b4e10ab6e6435456af8f7f3a491cd1d3bd6f16708ee9879c946f39e6e6a3c8df5efd1e0bc7d63bfd9bcc733c2003bd4b3d2f402a025c07608c0d56a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
4d8ed4e4156421b19403dcbb6a231793

SHA1
8fe110c29d801726ee619caca582dd18e3b62a64

SHA256
fc76691b6031b09ab8953298c8846f0bf7a4a4b4844be7f6437aa8a68adc6e55

SHA512
b4a31c244473814ddc3040fa24d898e31ab887d5e567123ff2bd41bef7a5bd1d5623c49d14ab8144cd96deb53738405d995b97f60e8117e262b9131e14db5262

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
cedbdc4ec7229cb4886060001b1fe8b4

SHA1
e16c898b204ffdc6a75721318a6fb3a3b501b86f

SHA256
e41020ed9164131c7cff4d0e448929311ee5050d16079eccbfac5c743a6f3b6e

SHA512
f87928074f7f03bca3aa6e99050fb498623a809eff1317df6ea002f70b438597182580a60d3dd11ed4200d27e2be4fcbe7473a4d326a12e03558398236bbd2c5

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
42fb6d32aa9670f198c55023dea61281

SHA1
eefcba9e82f08d0651a13b6a36257b91c4e80df2

SHA256
9eeea03817ced5cdf9417ccee291a12c3866e40a311e8b1968c55aa56859e246

SHA512
9a893a9a30b95790bf47282d0e2335818746859253e31db4194443fdb66ff55cd1ac0bd4857aa370499f24baaaacdd4e539a7e03b0e20347d3d67a3362ff3931

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
ab4463fd65372dc98e824838c9e1b10a

SHA1
e6e6ca468ddc2f3d39d18fe4b3021d3ffdf99013

SHA256
396998ba56f3c3806e478c51ee94e4c9084016910ae0b86492282d2cdfa35a4b

SHA512
bbb79bbbaeaf0bd19e81cfe1484585b9fb68729ddcc86c91bcca22479df3d7d820212c87cf90d8bd191987aba98cea0289d0710ec754566c2a37e93e930eb3e6

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
c1f8356ab2b4e32ad3da7f15159faf73

SHA1
91b8773aa3e1145468f59816540514aeeab4edac

SHA256
c54f47158fc245aa740c765fc7c8d3d32cfffa48f6429cdcccf73e240ba6dc97

SHA512
34c7cada61067b16990fc58ef616f553a456ae712911d56d27e021cced365675b7ce5ed2446ddab40e20a579f8b19e7abd2e47d475bf27ca8ddbbb38b7196a0a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0efab0799b8b2e60928dbb887f66af9c

SHA1
d14cb1173c9548c91b2919b96bcd558a993c6884

SHA256
1bfc49b416fde803865bae527d91c9a96a0b106b3aaa185be16394ea1c19067a

SHA512
76ef949e8aa813d257394a010e720662a551835c9a3ddaca07fa402456fb0d47c0f63072686fde0800f3da759f917e746e725be0d557bd1c4c1170fd1d5eb198

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
ed90787cb341ab01d6f76ef26694c0eb

SHA1
45624aa41b2078a75432a815930a2ddcd86c075c

SHA256
99c5878a8c2db6ab57ed0fba05b02bc71fff6af1758a6d5e39ff707e928a0810

SHA512
577a16773c98b9be26f3d103fe7c015d535055c939a5dce29635a6773ffd5a8baeac9600c457977c15f427750f09c7fc834fb02c327dbd77a87b3efa4163dd59

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
69a3e3245af5e12b7c7b8b7410f96eaf

SHA1
1fbdfd525f574b655d19bbfbbb8b63c51877cdfd

SHA256
ab62e6ccaed01b46c4d55c5095bf12f6bc701f7fab140f87c6d3dc673a115bdf

SHA512
eb3c1af2136b2c49c3eebd2eb1a8ad3e4e0af7b833ebf190df20126a1cdfcfdf8f5d5d52f445b0282f441b398d15bcd31d44037e0b97a2b9f58783a3832fc34a

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
b0a0c770e59d8c0cc30ed114d858fdec

SHA1
33f2809b7b1d8de9b522a2ce2697ae4dc472c9df

SHA256
9c7dd134fa94c119cd78c64c72bc77ded7a954481278878fe594a8a6d10f30ff

SHA512
0dccc39d2d95bbba66321cc28f0d91ee5c1a919002f5afc2046eb5316a3fb81a3b64e8d57f11938b60da1382b389a53f6635ea1399da8b8e0c5247bbfb7e8498

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
0334c362cba303737e7674c778576089

SHA1
d9483666cd5e044e1ba4168b79b734d7e4ff5c2d

SHA256
25924e5578529fcf8e1dcae5a185fce57203f69542103dff650257ed71c57665

SHA512
6005350ea88cc7008bb965de1079195d58475a99404c916f70a2b3e96fb32bc9be086d63ad5f365177e5e129b0cc2f4b4f656c7709b69b0c58048bcba1658f4a

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
03bb5b91c09b932bf8b92a9c8880c1fe

SHA1
9772b22c415581ff35aa082707f15ebed6947fa2

SHA256
83b82ce615a9bfa369ea6f8d93993ba004237e5693754f023bf8f7ff7c14a047

SHA512
cbe8915cb69b3399be91b4503bae9b6bfde5244a88971e138249af3e4d032afaf04e419238f9b0a60d4af3d0dbc5bf2d6a63fbcde5b23ee3bca8396db3983e82

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
bb8848f841b69df798df3bd86ef5e803

SHA1
13c1e60eaaa5cac367986b8da6f6f9067ba881d7

SHA256
d0bc643db82486d6b0908e2b649c6a438c91eab3263dadebfc1741d212d4ea66

SHA512
bc9a5d00cf1446148f8feb077896edd02ec3bcbd0f14579b9a82767f15e5619b225c901b48a14878db0095fac93939c1498a6042207a26a2f7602c0851e6f62b

Download Submit
memory/544-274-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/544-79-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/544-88-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/544-85-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/888-188-0x0000000140000000-0x00000001401D0000-memory.dmp

Filesize
1.8MB

Download
memory/1052-17-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1052-11-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1052-24-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1052-164-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1188-259-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1188-611-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1576-130-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/1576-311-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/1848-56-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/1848-62-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/1848-64-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1848-103-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1988-246-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2376-244-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/2548-0-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/2548-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/2548-9-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/2548-27-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/2552-210-0x0000000140000000-0x00000001401D1000-memory.dmp

Filesize
1.8MB

Download
memory/3076-275-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3076-708-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3356-90-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3356-107-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/3356-100-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/3636-527-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3636-189-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3636-605-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3648-51-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3648-45-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3648-53-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/4228-68-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4228-67-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4228-74-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4228-163-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4324-165-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/4376-147-0x0000000140000000-0x00000001401E6000-memory.dmp

Filesize
1.9MB

Download
memory/4376-510-0x0000000140000000-0x00000001401E6000-memory.dmp

Filesize
1.9MB

Download
memory/4580-126-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/4660-211-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4660-549-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5032-33-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/5032-41-0x0000000140000000-0x00000001401E5000-memory.dmp

Filesize
1.9MB

Download
memory/5032-187-0x0000000140000000-0x00000001401E5000-memory.dmp

Filesize
1.9MB

Download
memory/5032-42-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/5108-245-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/5140-279-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5140-718-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5228-561-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5228-574-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5372-721-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/5372-307-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/5516-320-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5516-722-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5660-581-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5660-524-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6012-564-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6012-726-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6096-725-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6096-536-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download