50534930cd274ceddd0856cc721d0783814d1fc1bae3c03680a228e6a95d049f

Analysis

max time kernel
53s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
07/07/2024, 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
Size

4.6MB
MD5

c6ec2a6423afafb0107e88639236c38b
SHA1

2ae7a833b98f84b9c4465a127f4f6bdb70a2ab58
SHA256

50534930cd274ceddd0856cc721d0783814d1fc1bae3c03680a228e6a95d049f
SHA512

aee69d0128da175a233b9ea3dbcfcb539a2855fa11e28f0dd19e42c760f5ccbf09b4e2e24c31a140ab2f51d3055c41c2a37e5a73c77b65796136a4101c0994e0
SSDEEP

49152:3vuURFfSjB2ZAKQKIFihKwDOhIYz9RtHBDWeTg8iqSkwER4a1HecEPLXhzuo9AHV:/SDiKwyhx4BER3ALkaA

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
4696	alg.exe
4920	DiagnosticsHub.StandardCollector.Service.exe
2324	fxssvc.exe
4648	elevation_service.exe
3284	elevation_service.exe
1536	maintenanceservice.exe
4660	msdtc.exe
3056	OSE.EXE
1712	PerceptionSimulationService.exe
2960	perfhost.exe
560	locator.exe
1588	SensorDataService.exe
208	snmptrap.exe
4000	spectrum.exe
2772	ssh-agent.exe
1604	TieringEngineService.exe
2208	AgentService.exe
1644	vds.exe
1088	vssvc.exe
3060	wbengine.exe
3188	WmiApSrv.exe
4860	SearchIndexer.exe
6104	chrmstp.exe
3336	chrmstp.exe
5176	chrmstp.exe
5400	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\13ae6793c9b3195.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd55c8741ad0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000085620f761ad0da01	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133647950696440281"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000032410f731ad0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000023897a731ad0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d1471d761ad0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000795d0e741ad0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000863ff0721ad0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000836060731ad0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001fec55741ad0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003060ef731ad0da01	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
3476	chrome.exe
3476	chrome.exe
1968	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
1968	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
1968	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
1968	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
1968	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
1968	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
1968	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
1968	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
1968	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
1968	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
1968	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
1968	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
1968	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
1968	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
1968	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
1968	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
1968	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
1968	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
1968	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
1968	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
1968	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
1968	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
1968	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
1968	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
1968	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
1968	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
1968	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
1968	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
1968	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
1968	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
1968	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
1968	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
1968	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
1968	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
1968	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
680	Process not Found
680	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1760	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
Token: SeAuditPrivilege	2324	fxssvc.exe
Token: SeRestorePrivilege	1604	TieringEngineService.exe
Token: SeManageVolumePrivilege	1604	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2208	AgentService.exe
Token: SeBackupPrivilege	1088	vssvc.exe
Token: SeRestorePrivilege	1088	vssvc.exe
Token: SeAuditPrivilege	1088	vssvc.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeBackupPrivilege	3060	wbengine.exe
Token: SeRestorePrivilege	3060	wbengine.exe
Token: SeSecurityPrivilege	3060	wbengine.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: 33	4860	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4860	SearchIndexer.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
5176	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 1968	1760	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe	82
PID 1760 wrote to memory of 1968	1760	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe	82
PID 1760 wrote to memory of 3476	1760	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe	83
PID 1760 wrote to memory of 3476	1760	2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe	83
PID 3476 wrote to memory of 3292	3476	chrome.exe	84
PID 3476 wrote to memory of 3292	3476	chrome.exe	84
PID 3476 wrote to memory of 2552	3476	chrome.exe	109
PID 3476 wrote to memory of 2552	3476	chrome.exe	109
PID 3476 wrote to memory of 2552	3476	chrome.exe	109
PID 3476 wrote to memory of 2552	3476	chrome.exe	109
PID 3476 wrote to memory of 2552	3476	chrome.exe	109
PID 3476 wrote to memory of 2552	3476	chrome.exe	109
PID 3476 wrote to memory of 2552	3476	chrome.exe	109
PID 3476 wrote to memory of 2552	3476	chrome.exe	109
PID 3476 wrote to memory of 2552	3476	chrome.exe	109
PID 3476 wrote to memory of 2552	3476	chrome.exe	109
PID 3476 wrote to memory of 2552	3476	chrome.exe	109
PID 3476 wrote to memory of 2552	3476	chrome.exe	109
PID 3476 wrote to memory of 2552	3476	chrome.exe	109
PID 3476 wrote to memory of 2552	3476	chrome.exe	109
PID 3476 wrote to memory of 2552	3476	chrome.exe	109
PID 3476 wrote to memory of 2552	3476	chrome.exe	109
PID 3476 wrote to memory of 2552	3476	chrome.exe	109
PID 3476 wrote to memory of 2552	3476	chrome.exe	109
PID 3476 wrote to memory of 2552	3476	chrome.exe	109
PID 3476 wrote to memory of 2552	3476	chrome.exe	109
PID 3476 wrote to memory of 2552	3476	chrome.exe	109
PID 3476 wrote to memory of 2552	3476	chrome.exe	109
PID 3476 wrote to memory of 2552	3476	chrome.exe	109
PID 3476 wrote to memory of 2552	3476	chrome.exe	109
PID 3476 wrote to memory of 2552	3476	chrome.exe	109
PID 3476 wrote to memory of 2552	3476	chrome.exe	109
PID 3476 wrote to memory of 2552	3476	chrome.exe	109
PID 3476 wrote to memory of 2552	3476	chrome.exe	109
PID 3476 wrote to memory of 2552	3476	chrome.exe	109
PID 3476 wrote to memory of 2552	3476	chrome.exe	109
PID 3476 wrote to memory of 2552	3476	chrome.exe	109
PID 3476 wrote to memory of 1128	3476	chrome.exe	110
PID 3476 wrote to memory of 1128	3476	chrome.exe	110
PID 3476 wrote to memory of 3196	3476	chrome.exe	111
PID 3476 wrote to memory of 3196	3476	chrome.exe	111
PID 3476 wrote to memory of 3196	3476	chrome.exe	111
PID 3476 wrote to memory of 3196	3476	chrome.exe	111
PID 3476 wrote to memory of 3196	3476	chrome.exe	111
PID 3476 wrote to memory of 3196	3476	chrome.exe	111
PID 3476 wrote to memory of 3196	3476	chrome.exe	111
PID 3476 wrote to memory of 3196	3476	chrome.exe	111
PID 3476 wrote to memory of 3196	3476	chrome.exe	111
PID 3476 wrote to memory of 3196	3476	chrome.exe	111
PID 3476 wrote to memory of 3196	3476	chrome.exe	111
PID 3476 wrote to memory of 3196	3476	chrome.exe	111
PID 3476 wrote to memory of 3196	3476	chrome.exe	111
PID 3476 wrote to memory of 3196	3476	chrome.exe	111
PID 3476 wrote to memory of 3196	3476	chrome.exe	111
PID 3476 wrote to memory of 3196	3476	chrome.exe	111
PID 3476 wrote to memory of 3196	3476	chrome.exe	111
PID 3476 wrote to memory of 3196	3476	chrome.exe	111
PID 3476 wrote to memory of 3196	3476	chrome.exe	111
PID 3476 wrote to memory of 3196	3476	chrome.exe	111
PID 3476 wrote to memory of 3196	3476	chrome.exe	111
PID 3476 wrote to memory of 3196	3476	chrome.exe	111
PID 3476 wrote to memory of 3196	3476	chrome.exe	111
PID 3476 wrote to memory of 3196	3476	chrome.exe	111
PID 3476 wrote to memory of 3196	3476	chrome.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Local\Temp\2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-07-07_c6ec2a6423afafb0107e88639236c38b_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=126.0.6478.127 --initial-client-data=0x2cc,0x2d0,0x2dc,0x2d8,0x2e0,0x1403846a8,0x1403846b4,0x1403846c0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3476
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcc91cab58,0x7ffcc91cab68,0x7ffcc91cab78
    3⤵
    PID:3292
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1856,i,16138952116420537630,13524380531870357664,131072 /prefetch:2
    3⤵
    PID:2552
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1856,i,16138952116420537630,13524380531870357664,131072 /prefetch:8
    3⤵
    PID:1128
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2264 --field-trial-handle=1856,i,16138952116420537630,13524380531870357664,131072 /prefetch:8
    3⤵
    PID:3196
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1856,i,16138952116420537630,13524380531870357664,131072 /prefetch:1
    3⤵
    PID:4656
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3212 --field-trial-handle=1856,i,16138952116420537630,13524380531870357664,131072 /prefetch:1
    3⤵
    PID:1424
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3984 --field-trial-handle=1856,i,16138952116420537630,13524380531870357664,131072 /prefetch:1
    3⤵
    PID:2648
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4580 --field-trial-handle=1856,i,16138952116420537630,13524380531870357664,131072 /prefetch:8
    3⤵
    PID:5608
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4476 --field-trial-handle=1856,i,16138952116420537630,13524380531870357664,131072 /prefetch:8
    3⤵
    PID:5852
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:6104
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:3336
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5176
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5400
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4616 --field-trial-handle=1856,i,16138952116420537630,13524380531870357664,131072 /prefetch:8
    3⤵
    PID:5452
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4236 --field-trial-handle=1856,i,16138952116420537630,13524380531870357664,131072 /prefetch:2
    3⤵
    PID:3736

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4696

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1916

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4648

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3284

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1536

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4660

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3056

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1712

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2960

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:560

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1588

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:208

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4000

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:420

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1644

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3188

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4860
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5720
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:6056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
bc7038945083bdf50fcf83c28999150d

SHA1
6a97e47b297f51a84ed3929c0cc2f55cf12077fb

SHA256
d5bc42326f2e2fcbd7c517a071ca78e90fd55d3df5090c1f19804fecd3d32517

SHA512
d371fb11ee047714a31065cdc2cf135ec5287682391d225a43168d5baf36e20acf0ca51fe1222af8e6fa0dbc94467850b879c4f6b88d863f322d4558deab4e20

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
a55e6e397b6e7567e1afa21ec74f88e8

SHA1
39c0b1ccfbf67a5afed8a25d5dc3923dd69d9d0a

SHA256
9045711470f86b621c14a1c41a34e270e51a541f62cdce1de4207c6fe5d9b317

SHA512
dcd323030a0b49aebbbe5a159257e56859e7bb0915037c7f3b6021dd3f6f50d56374b0c14e40adb840b3e64c5eca2940175fc2a8978e5cef7e1b2c31bb5f778f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
21f61317f97e531d3932e89ddfa1b41c

SHA1
f42135de40f14de05a619a009e31c24671e36f2a

SHA256
017e9475b79760a9c86b1af67dddadbaef321f1ba5c94931c8bc487eb03d8c9a

SHA512
26e76b5f3996bc09ba62a2a10a7fc12657a8d7f51c58a4b724720ec61cbf7e3db7955b802444d7503100f94cc52060441961304ba20636922e056416724d7730

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
bf86eea7196fd9022a6784aa84d8c137

SHA1
06cf3ca900d849627faff3bb965da11546ebbb40

SHA256
885700b718b4a23aa03a94342bca6ee55ef8b50f5c6e3e05e4b2b8373f17d8a6

SHA512
6b43a68509362b8791adf759a81931d9ae8f0b70d8ab818615588ad7b4530f330feabea6a90cd061d37bdd4d8ed9476e528bff716cea8d07b8f42785896c0794

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
dbfc5f845fe1f5906263e7babaa7cdd1

SHA1
445c04cf9fae64942f82502006204759b64f4243

SHA256
f75c79e54794d0e993e949283d0fd935d5c2c69a6afb62b2fef19bd9456a85a4

SHA512
0c2ef2a37fc67ff60ddb38c1931e7773f5fae74f07622feaaf7e02b19cac8c5c0793953e267f03c2a97bcb365f80904af4d20853478ad65767ffaed888d69634

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
5df549428444d26b5188757ca510bd47

SHA1
9de8a5fbdbb7286b583bc150d65b97d6868872d1

SHA256
146d070a64b4929df5f3b1ac2da0d146323d34508860de4b217c98f31b14309f

SHA512
1e2a6c6833dd5a71b89889afc981b6e5bc683d64750e3a7eda7536719a92bc26d58d64b31ca6414e07992cf1acaa662ae05eeade237929aadeb1f5028ac56583

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
c36d1eaaa74eb1de1da7d40d5c9231ff

SHA1
bd3a5b5c2badc7a37de4fd80a1120a2b5ab407af

SHA256
afd1ede87009e3ef78ad8a47a01e06804e6db9711852b1b8527b3d01cab28bde

SHA512
8ddf83a99e418292772fb23a77d1ff913889d27cfd3319fcb99e47120f98a46d61155b8c388de28784674d3304022bab273fa77942cfacf411611f9ca79587ae

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
1a412e75b0ef8acbc2a0506adea89d0f

SHA1
101465e5565ae05e66a9b46a6f25e8d0f08345c6

SHA256
75f2db971a7ae8154b4c574a7371fc1ef2d260d8ee2364ddaba749369f362c8b

SHA512
4fb428ab82bbc9d366ca7c838c64e680a7c6bec791ad154e3c11def49861ba8648f35f2c7f32b2b3f052fa6735e1808840089c71aacdf31cd04f03ff160b10f1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
e600413312429c2d136f38f8581efb00

SHA1
93521b3b2480a070ae19b6ac09cd0f4a88497416

SHA256
d9449c920dd2e34f57f2349229b447974fe0fddc296fe27ef6672500a4130e62

SHA512
2fe2f84b21a2d618e32f70fa2412a1a388c029ddfdeb2ba3ea02d85566d1d16e3d349280d70985f651adcab82625ec4b0ba1cbf35dbb8df6935b42636b8d67c7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0c3282d5f26aa1bc123999dae91313de

SHA1
0ea002df243f8381076e99f1d09187990e2da507

SHA256
48aa68b4686d442cde1d777b6538fd0a68c274c4af4d5a0416b016b0941e1a17

SHA512
e27f8f66aedfcc68006b7d4a58cecac2521d8af7e0cdad27132769d28349435e89eeaf33a77577bec18c18c8f2ec02b6e4555441c0f17e2fba788d903631f29a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
aba79f634244ca5b9da49fe553c6896a

SHA1
c6b4957f316e7ffa2ce1e6bd6d3e966bcc679136

SHA256
8f9449df8a22a5f78d5c64e00b8adf3a1d894fa6ab0fe1b3bb8dc2c2a40f01cc

SHA512
90cbc5960b306151458a5e5e2d6fce5fe895d2de90b1e755a282c4fefb8126e79db2adc24e9f9ede6e58f838e0c821f1fdae61e550448f0aa0e0097422c4e11b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
59bae23eee55bb9ac754793994fb10db

SHA1
dc611b183e7953c27ad8b241af54959dc04f3707

SHA256
4484d82f679f73cb2497e242fd2499e733542bddcd751fbd7b7d1bf8a7ae3c59

SHA512
1acf47a37ab09ccc16c488fa449021ca25e8786ac6d1468cdd657d18cf0306fd9b2bce7d63adf601413ba1c16f8b305e8b324dc6dc5c05fd039e113d0ebf5e1d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
1301b3f4598cee30d06a1cc2ce7fd5ac

SHA1
48b2e85e9ff9d8aa38666c6c52701da65a4eb0cb

SHA256
86ef818ee888d21e37639ce6ce0f0aa2e12c6ebeea9c8836cb960408ff4bd75b

SHA512
846a21d480e0a2491ef1bfb8aca410a97ebae84e13656d72cc698e86a73261bbb46676f277ef5664e200785c690610ed4db31722506d9381570ef6386f85c6cd

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
cdaa1fa2cd990281c9ce9dc326a8967c

SHA1
cf3fc6ac4cb22c7ca5a4a789d019e581d6c128bd

SHA256
64ef84ec4202ed1055f030c0eeeec1774a0ee77cc2740cbdd3f0744e9b260d39

SHA512
586acf3aa792375be29e8bbb12b10ef6ed512a69aaebab115dcff55f42ac4a6306ea7b119061b7ab8651c715481702c834cc519f375217529bc1ca6c83f6e3e5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
397021b67ad41545b8361171f267f643

SHA1
2abad6eb890a67720652aed30af4998733789ebe

SHA256
627e919aafed226d5f951a755017d770c8ae624e46c9d6c64af32a7787635a90

SHA512
60cef0b44cd085f66b7d9a5d55e82c91a160ebf615b036c3a996b2ee31493d21b102052985de5940d940b566f82fe6e7fb9a0ca7a17a9ec510437a41a6645c8c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
1742376df0a643229a1cb43c6e224ca5

SHA1
f71bfe00418f63bdaeae6d70c0a16fddf3bac632

SHA256
eb49f6e31f924fa7e8441906751040558b666aa8e86592f2275c5da6b3988b39

SHA512
bc087b3db622079d21171f5840cce6e555db065f3bd66817cee55dacae9d57fc64feaf1ac6b6551f78eafcd29ccbcdc41d5b65ea6ffaee69cb5fe5a7ceec09ea

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
c2c365634d2997f10daaa2f7264498e1

SHA1
928437a3752e7e75acfe84df8fa833bc1fc2f1c7

SHA256
7240e93de8b507f19733999c6b5cd883e01bea233d5aa0170f26da5e64d96047

SHA512
91ffdf32dcffeed63947456c46cb0c45d0b3717ace58e5a4c94747839756d79ba587d73704e9250e9ae0611eb31f1659bd51370972f90237843b39ec8ec749c5

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\20240707030435.pma

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
b8efee727eb60991fc48c414080905f3

SHA1
1d1b1b299fddbdb2d7637c57ec2964836dc8eae3

SHA256
ddf06e16a366bf31582a6a1923f5c0e3efa7bbbd5c3ff4e63eb28e6083fb2388

SHA512
7254ff991435449bd3ba20c4f1628c7801beab607c42d116fe35b00a28cd617667b8aa7d8a7412ac35a6fd3a9dab5a157e3194899b707bd0952caf5c13f96e43

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
32de2ba49d5fe54d52bda50315cbc5ec

SHA1
2650a716c301ae40c2e49e781394ea1f668568a2

SHA256
9a7f9ac9a183479f71b6a923e7136141696bf4dd95d5c646e3b257faf97e49f4

SHA512
eefe6c6ed228ee89d6d3ad9846ff653f40dd5285969a26ad9b10d1a053d7e33fb8ea8e4cb9cbee754c0ad204ad35bf4addf379572d32f04cec36fa131d26fa51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ce3e35fd10a3385b03394669100420fc

SHA1
f25fab308b36526c8ac5b51ac73178c91129337d

SHA256
12164ec23f6d01efec3b166fda397c8c116ae714f57c0160741c0089e0bee6a2

SHA512
c06e80d2491c44e934cefde10cc9e50633553c49224df4a250d40f7079ac144e7e84a24ce427b8db9332df34fdb11fffc5b356e46556e03fd1beccaaca452848

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
1646782257283c13281cc5b8b6888a2e

SHA1
f9df8c96fca45b83830addc03b02bb184ff04e6b

SHA256
a46a9313f8f95d565aa68ad7d2eea5139756774704fbb3294cf616a83f04c37e

SHA512
b19718dfd5f3623a11c334907ac17a6d30adb790094c43e190811a9c98594e030ceaded81f3692097f410ac03e54f9bb50b4c2dbd27d4290291f9216b57beaae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
89a5e95def8904088420e9a3ec710ab5

SHA1
d38ac13551bc66ae6a719c342f4354d21fb17faf

SHA256
4060787b08436b0c74687948a27bd40bc90106cf5cf5e1a2b8857e44b9bf78a9

SHA512
17f4b389abf00c613cea7b4c45dd21ab2134c11a7687ad2002d743efbc64a1816bfd051bf8ece974a1e03ba5899c77cff036efb6212a7d130bf4da7f6f87089c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
ad3678bc185bcca38b70bdf1782815f0

SHA1
12523a358d08030b4c4acafebb24b0a8c2215345

SHA256
a769edea2f944ce28138f9419ae47ef88bed9d00367ba5da36ebd058337c99cc

SHA512
ca5408e11fabd1535c464d8650640dc79416777a6c1226f067dcb2f084de13817e627230dfe238dc69858f0054798477448dd5d0a5005528ec09ec1d6364d13b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
876857b7c8738c0bab9cbe8b093d066e

SHA1
8b261c0497abeefa64cd6bc718e791e58bbdd19f

SHA256
2fcb52f544d3b5784d1060866d6a70c1434a3a23bd7ec27eb134bcd981db9e19

SHA512
7276af21b2dbb78b4f3c95a95576a9d2d3c2d4dc07e49068e893ee39dbcdf8c7067b3560a835c657d1d61c684e6c8b890b1813382ecbd95987aa1221af1fda59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57f925.TMP

Filesize
2KB

MD5
a075394cf373a1375d743f487133dd66

SHA1
3afefc84c2ea9c9feee37f0d49390673339da665

SHA256
5a3db643c3c682219a4e9dab1fb3c32ec4cc7acdbabb33dfb8d79da449c9f60b

SHA512
a864fafa35a2a5a9acc4b1e3b2bed5c2105f447ca712e8b620ec31a90baaa1ab337ed37d1ccb112485f4c042be301ced9df19077926a002859df5700515d66a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
26979b3076734985eb611daaeb5fc8d4

SHA1
531175106b177a2ec8811f67b756831c6e7c61c1

SHA256
03d10eba300e0fecc897f7d877cd5469d781531a870bcd9fb55b5292cd1e90f4

SHA512
025b1d8c5ae539598847d8d87889ccf2705e93780a441db29243b77b8b9816ddf01f444c2c1862a6ad4977f0e8c2df8de457470def8f96884e2dfe0ab6396278

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
285KB

MD5
b2af08beae7f7ede373e9b8f6a49a67d

SHA1
a8707760bb7026ba2ef87f44cc126812744559d3

SHA256
53914bc99f6ef5bf5bc86839bf5b0a5d8e2e4792eda7798871b0fc4295175c80

SHA512
667eec5cd02e7959a84b3833bbb2b4441019cd005bd27e1296c8d261ee62bf6d65b5993ba69d9111a2664fc272a67a7b5a8da76f09240646ae62cbb56656db72

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
e72fba26882a2d8fcdbdd90b47acdb3e

SHA1
26ba5c86b2a032f8e093778bdee7ffd062d6c179

SHA256
3e614383e7d3ae417c42b330e999bf92483d0e476e51e1939aaef41b3536912c

SHA512
a329177f39e05be9ec91593158b5d4b07e0c457bdbb6972e4e741991bf330834356b64e90843876367917474828dc03e972fa83d869bdf0ec4c74440bc254416

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
c75e7f385044d4fc101f6080be96f00d

SHA1
ef4e7b06768ab896f5749b1acf4f3707e2c0f163

SHA256
c2e9c4689207b6213fc414c2754279a197b854ccce294df576e88e895223f8f4

SHA512
c935acda051aa0f3b70de070e9439c5a0d977c381ce650637eb8b754ed06026baac32774ea3308c5175f3d56a4c071131a42db1a64e4a11e9a3ad6d9096d060c

Download Submit
C:\Users\Admin\AppData\Roaming\13ae6793c9b3195.bin

Filesize
12KB

MD5
ddafdddc174e91b74899ca9a9b753acd

SHA1
d321afdd7739b8090b6efc94aaed07ba3b0e13c3

SHA256
080cf1cf5c8fe803542b0394f9a3fe42dc4800b3916dcf28d71686b23d76085a

SHA512
425f8c62cfa6ecfb139c280728c3e05ab02dd48fdb3d5c8fb01c2d8f4e8e11046f59fae349818fda006db0da9fd466e02635b481f9be3fd48fe24064c4890c86

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
bc0489e167d35ab39a3b9ea887d8d965

SHA1
dfa33767d6fa6898e5b0395212975aae89b965ca

SHA256
678721b8d11c44dfee709d6b4e08acecff9a6be471c2181b993d68867fca2a29

SHA512
f38a5006018e393d72e178aa85be2c12e61a7ac16724afcd756acb8d6cfc25ed5251b7394e2dc4999fe63ae66e078a3be6f47aca201327670d7d33f77d6d0ef1

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
788eeda5fd3b76af11f5bf4fcbca1ea8

SHA1
ab91ebd4344a83fded22fdac0f198d4f54c15cf6

SHA256
ee0ec9e98c0bdf7c025e1d83544cd4e72d131c17567d2ac13b71b4c3f94c0c4e

SHA512
93758c805eb0d3b6218f8ba02e6c67e5e1575ab60181eaf36822bbe03cb931a0c69cacdec743df41dbfcbdfd341429fe5c45422915ab63484809cffddc91d0c9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
09272b1cab7bcb137908e355150259ef

SHA1
2a7b8541e52440b2e6985afee14be33a3dacb8ef

SHA256
c8e84b1295d557d735b31f9e4477957a87b94d50770bc64e75f14a3afc40619e

SHA512
eb1dc2d2e6524c132dc9d3822c539a68962972258fa11dd24cac7548e3524e9b79ecd089e1b9b3e01349611bc3e472f9d63cf555a89f9ac0e3a23e7092d386af

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
be4a739c6e1c95388d6b73f48d97ea54

SHA1
7b4ba925b55cd1cf1fa531efdb00ad0a0ee5f6e2

SHA256
fbac1b02d9c143423aac57e3240dd256c96204ba75c687662e13cba3bf3caa8a

SHA512
68454855705f5210a416bfaa62a96cc16a25141f74ead169683bc81b8d23a4e0f975d8cc23b60327e11e10fa7a09fe02c23393b45e1176796df88808df3d6452

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
63be12e26e5d986b3a00141f107bef76

SHA1
9f109ad9f8f2df58b28aebe0fbccaefef003c456

SHA256
3a18c25f28e234e638846f9b0847b90c34405a4dcb066f93d406da599d726350

SHA512
1c79a1d774c7fb0a6da798108932e4dbc9032bea29abcf6e74f2dbadb9d522ab3330a5efef787efec9c978cd43470a6b88ef5fa3462dc6a287e36db5bff13154

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
75be6ea5e326053f9b14ddabe98fee02

SHA1
af3204618d08cdcb19aa7f1fdddf80ac42eb4449

SHA256
3fb4f5c66da43918e5cffb148e2637d11edc68ac7ab1eb052b8da70dbb406c26

SHA512
f713eb4cb04474993676eb9d76d1389ddc2692aa57c100e15d2e33ed8fe28da62cd332338064b161e8cc08303d08ef6c6c434ffcdcc2fb39cfbd368fb96ce894

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
5c8e6a0fffdca073caab2c429f9a458a

SHA1
609baeb1b732a16f4aedbe62adcedb5f32767a84

SHA256
974e0788dbb4c4377f94ca37afc241920cf244b9f706005afbc2da3d18d5f414

SHA512
9eb0e139731bdeb651dd500e80410db4a227573eb9103a26dd6b51b44976442011744050d5465b8c47ecb271e047b773343aa43dbe8ccdef8eb407c2d715d090

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
cdb900ef2c33f91dc1732b697205b6de

SHA1
46ea0fe651811cb5e52d56e65f7d1626cab52b2a

SHA256
2087736522cff58afc27ec5e4310c19d9fc2d7a1370341abb6e06c22496493d8

SHA512
d4d0a9d739493816377025c4b41c48a72bfa3dc01b7a8a5d5215ebdec1b50bb4debc2f4b101f66e3feb834c9a7d5e884fdd3a4b686b38cc332c6bf6acdf9e6f2

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ef9fe5318d89f79fb1262e0a67166f67

SHA1
8c35c3a6d20ca3ff9628947ebe0dd1cc08badfea

SHA256
35f1b9d257c3e9b8431b732691b8cb283cc96f078fc3482f13922597258cfb99

SHA512
c21582373a94ae0bbd020e98541b61fa44b5827ed68cd9cde66106b9ada4fb001f48bbeff8b176535f5d038fe1f95760639adc14b67e0fef8f12a9edb1307f51

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8d5ac9fbecf5158ce30eb33d46b86227

SHA1
66722d63716882197285930d768900bfc047f955

SHA256
5f4131f6aac5004672c8f9902d4768c9655ec7c7994de974b39627965dd1a554

SHA512
ddddd3754ef96772d02bd3bf159ff4c546219c0cd5f23261d2de17c6dcf26898f3fb4319f6360819319aaafbc9c2881e7cedfb09b76907e36574ac80cfaf8e55

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
d251671e56c5ef27e1167537199364d5

SHA1
1b01f71601cbe2a519c6fab186aae232973ac8cb

SHA256
bd155d25c9266bd5ff8a03792ff590aa989d6dcb2fde9ab279b0ab0279a6af28

SHA512
d36831b807a1bf5dff1c812d3ba2362ffc453cae796259817a5b6bb6012ad6d33bb69754400fd9fead2e3a87eb2a045db87c5ccdc67cbe2ba0f60c9559582dff

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
529f4687a53c47f088ddd79ae458d285

SHA1
96899faf83e2b59ea9aa4ea75e568f61cc2143cd

SHA256
4b73a8523b74c3f3c5305836393857721ffe96e56b424a2e01f97f586cedbeb3

SHA512
3911bac6cb2b32c9bad5e67860de72cc9275f2b4827006ed2990539a6ae16af6ec61f76cbfa786131c6690488fbd4650b54d82486df27057e7745bcf023d1da3

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
8cfb5e445a6eee318b3fa503742e8f36

SHA1
3fa95dab45fe343bfcba9a24fc30cb7547ee1fe0

SHA256
ee803495a2fadaf1b56cb9c51ac09ebeb805237fdebfb7b6464f300d4e53af05

SHA512
3d995efde9e16a47078d27ae7521fd2c6fcae5a687210c18e821507d12c911cd348c7f4e27ff47134557ad89a793db9ef5cd614c4b883c6af9c792a2541a593b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
bd731f0c9e343d6ff003aefe24f9cebf

SHA1
d1cc247b1118e90cc574ff847d6b9dd59339b1b5

SHA256
c21a3b0a5a3c88b9030d9361f97c42c9ae1519d1b965b123efc3ba73e74842da

SHA512
5f22276d7ed15bdfaafa2360bd000438ea2c7b68dacc482842918ef68d77de6e2f1086e8351799b21127c3959cd69760d0a663652ae18d0a1f0b1bccc36e8055

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
d61e878bf317b1c713cce2c34cc2d177

SHA1
309bec60c5498106481d031f857b44bc57be9e6f

SHA256
db58398a9d268834696750f464e54fe7e076f6b5609ed23a8ac3badc5032b116

SHA512
0c42c24139ff30a9bab48a6701098e4f305384dbf67c80d84ba9d1dc5471bf7ce7f6d24edefb63ab6c364e4485262ca07ea0b9d895f1e40e12efdc333de2c67b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
75d16a918346b005c5cd2b73b4e9e618

SHA1
c2817518292547d305fa552e56bfb2d8763abafb

SHA256
9fabd5f19e5632557834ba979e14cab35004dcd8a11ce7d70680d4c406628511

SHA512
f6aaf3172c6379a59de1e68f2e6764d4a959ccce4d3a0010f0300fd406b0e2bcf7c58a1f5e87bb2b636d599ceae8279e8a990db06ee5c6ee09810567cd48dd6c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
57bb97fadb5e204ad921c371cfe2f367

SHA1
82ed56fbdc2f6b40e0c93b9967723226efc9fc1c

SHA256
fab45fb061474d8f6a3f4fd9ff8baa84551101d2babec9882a10a7a244b05394

SHA512
89d6a6bcefde906f4ef50495f51337567154272ad0943d9cbd35bf435c088d7ab1a072f116b5d5fd853520d305392719cc37799a7cdec4e349340e7218ba4c91

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
de0c1b71185bf8791d850f8cc518bc2b

SHA1
ce5428bd6df6b4b056716a45829d9e8dbe304a5c

SHA256
fb8b6506aad41d48a0bb93c8b03dbeb9105967bb7d8148fe63e146a30e6d6588

SHA512
cb67b218501ba96e70c0e8084b79b6fdacd536b8e6debdcaa4c4abf2dce76ced2774f60606ceb251835bfde6e954b3ce741e36f4a5648dfbab51810174db0e17

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
39e76555b185e8de64f34c9ae2771689

SHA1
d877c73c73b16ba52b43e8e6f9d18478e873090b

SHA256
e0ecdec20c15f3b2442c1ec26b350c16ef9d4f35251fd8cb90153f2c523484e9

SHA512
2ebb945e0594e2ac51b014073ac614886b62e187e87b9c6dc5b5f7df9b55f6c3a035b75517d9b6d961a086c435dc36534815d92bd4627a6c8de2b2bcfdff6c95

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
8c7990b640d12c494406fdc67d25b620

SHA1
e1b0d4dd460f07370ab2626868dac5b0cd0cfae6

SHA256
6f5fe7872b25d4c5b247f7073fd548adfda6c879e690c064a267264dc562a063

SHA512
b3e2db3c65905be5e12c4a2946353be6ee9f313f110d9a10949fd369e6255ec94aff3443394728efe3f19963165e8aaa101cf0472169683a20fdd11c89d8fb76

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
346fb84e21b591b8e4ad5fffef61c4f9

SHA1
08bb62a3f9ea16bac98c35d7f3aebbb63481a9ab

SHA256
191ae629aee9d5ad41e2de3ed60a84b3141395644d210ef095ca18520b575114

SHA512
5027e28949d83db8a285171321172d34472d70627a94ce4875d5a3206431a7a3427573c3e84894afba9de16483590bfe6972edac1cb01b133b447dfb92d9f17f

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
08eed78106dd8d9840c8824fc69984d2

SHA1
d41dec0b72fe8f20abe430b50e423a457a986cf3

SHA256
e0f50017023ffecb40890ee3de293a299087c01dcce560468a36d1f84297f81a

SHA512
14e776fb7ec480f2c2c5a3503b3acb95c6f8180573164879fa13010e1d6b44da8cfd02c241125b05c04255feeb09601130289e4fd1b63d7434022f5259987f53

Download Submit
memory/208-159-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/560-157-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1088-169-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1088-509-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1536-84-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1536-72-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1536-78-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1536-81-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1588-158-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1588-240-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1604-162-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1644-507-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1644-165-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1712-99-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/1712-155-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1760-6-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/1760-0-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/1760-8-0x0000000140000000-0x00000001404AE000-memory.dmp

Filesize
4.7MB

Download
memory/1760-26-0x0000000140000000-0x00000001404AE000-memory.dmp

Filesize
4.7MB

Download
memory/1968-198-0x0000000140000000-0x00000001404AE000-memory.dmp

Filesize
4.7MB

Download
memory/1968-20-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1968-19-0x0000000140000000-0x00000001404AE000-memory.dmp

Filesize
4.7MB

Download
memory/1968-11-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2208-163-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2324-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2324-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2772-161-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2960-156-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3056-154-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3056-89-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3056-95-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3060-514-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3060-188-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3188-192-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3188-515-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3284-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3284-424-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3284-152-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3284-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3336-406-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3336-587-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4000-160-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4648-56-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4648-57-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/4648-196-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4648-50-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/4660-153-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4696-384-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4696-40-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4860-529-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4860-199-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4920-32-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4920-38-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4920-42-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/5176-422-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5176-467-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5400-426-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5400-656-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6104-478-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6104-381-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download