516f2f4d3509d7d92231654bfadb8a47f36184c9eeae9c251447affc7839ca91

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
Size

4.6MB
MD5

7f3bd9305b830eda7fd829d1c1a47d3d
SHA1

879654989266f70e7b1c15bb30bb576ea86fc127
SHA256

516f2f4d3509d7d92231654bfadb8a47f36184c9eeae9c251447affc7839ca91
SHA512

3948485d0301c871cccf2a16f360221958d8028e87bc2735bad77f9c42e948aad479af25d221c6501f7247c0deb0369183157298c5cc5571cd81dada12009585
SSDEEP

49152:0ndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAG+:+2D8siFIIm3Gob5iE170uMhSBrkNq

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2972	alg.exe
4884	DiagnosticsHub.StandardCollector.Service.exe
4740	fxssvc.exe
3488	elevation_service.exe
5064	elevation_service.exe
2112	maintenanceservice.exe
3196	msdtc.exe
456	OSE.EXE
2400	PerceptionSimulationService.exe
5036	perfhost.exe
4400	locator.exe
3184	SensorDataService.exe
3980	snmptrap.exe
2580	spectrum.exe
2116	ssh-agent.exe
3724	TieringEngineService.exe
3640	AgentService.exe
4500	vds.exe
4532	vssvc.exe
3932	wbengine.exe
3220	WmiApSrv.exe
3760	SearchIndexer.exe
6080	chrmstp.exe
5192	chrmstp.exe
5400	chrmstp.exe
5480	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\32a8ab27a33ac798.bin	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed180d0f44d1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000011f1240f44d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d5e5421644d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c55d41644d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a2d010f44d1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed180d0f44d1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000677ebc1644d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a2d010f44d1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
3584	chrome.exe
3584	chrome.exe
3600	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
3600	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
3600	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
3600	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
3600	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
3600	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
3600	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
3600	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
3600	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
3600	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
3600	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
3600	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
3600	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
3600	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
3600	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
3600	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
3600	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
3600	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
3600	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
3600	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
3600	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
3600	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
3600	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
3600	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
3600	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
3600	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
3600	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
3600	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
3600	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
3600	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
3600	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
3600	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
3600	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
3600	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
3600	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
4748	chrome.exe
4748	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
644	Process not Found
644	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1904	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
Token: SeAuditPrivilege	4740	fxssvc.exe
Token: SeRestorePrivilege	3724	TieringEngineService.exe
Token: SeManageVolumePrivilege	3724	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3640	AgentService.exe
Token: SeBackupPrivilege	4532	vssvc.exe
Token: SeRestorePrivilege	4532	vssvc.exe
Token: SeAuditPrivilege	4532	vssvc.exe
Token: SeBackupPrivilege	3932	wbengine.exe
Token: SeRestorePrivilege	3932	wbengine.exe
Token: SeSecurityPrivilege	3932	wbengine.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: 33	3760	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3760	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3760	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3760	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3760	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3760	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3760	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3760	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3760	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3760	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3760	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3760	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3760	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3760	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3760	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3760	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3760	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3760	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3760	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3760	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3760	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3760	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3760	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3760	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3760	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3760	SearchIndexer.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe
Token: SeCreatePagefilePrivilege	3584	chrome.exe
Token: SeShutdownPrivilege	3584	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3584	chrome.exe
3584	chrome.exe
3584	chrome.exe
5400	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 3600	1904	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe	82
PID 1904 wrote to memory of 3600	1904	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe	82
PID 1904 wrote to memory of 3584	1904	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe	83
PID 1904 wrote to memory of 3584	1904	2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe	83
PID 3584 wrote to memory of 2372	3584	chrome.exe	85
PID 3584 wrote to memory of 2372	3584	chrome.exe	85
PID 3584 wrote to memory of 4820	3584	chrome.exe	112
PID 3584 wrote to memory of 4820	3584	chrome.exe	112
PID 3584 wrote to memory of 4820	3584	chrome.exe	112
PID 3584 wrote to memory of 4820	3584	chrome.exe	112
PID 3584 wrote to memory of 4820	3584	chrome.exe	112
PID 3584 wrote to memory of 4820	3584	chrome.exe	112
PID 3584 wrote to memory of 4820	3584	chrome.exe	112
PID 3584 wrote to memory of 4820	3584	chrome.exe	112
PID 3584 wrote to memory of 4820	3584	chrome.exe	112
PID 3584 wrote to memory of 4820	3584	chrome.exe	112
PID 3584 wrote to memory of 4820	3584	chrome.exe	112
PID 3584 wrote to memory of 4820	3584	chrome.exe	112
PID 3584 wrote to memory of 4820	3584	chrome.exe	112
PID 3584 wrote to memory of 4820	3584	chrome.exe	112
PID 3584 wrote to memory of 4820	3584	chrome.exe	112
PID 3584 wrote to memory of 4820	3584	chrome.exe	112
PID 3584 wrote to memory of 4820	3584	chrome.exe	112
PID 3584 wrote to memory of 4820	3584	chrome.exe	112
PID 3584 wrote to memory of 4820	3584	chrome.exe	112
PID 3584 wrote to memory of 4820	3584	chrome.exe	112
PID 3584 wrote to memory of 4820	3584	chrome.exe	112
PID 3584 wrote to memory of 4820	3584	chrome.exe	112
PID 3584 wrote to memory of 4820	3584	chrome.exe	112
PID 3584 wrote to memory of 4820	3584	chrome.exe	112
PID 3584 wrote to memory of 4820	3584	chrome.exe	112
PID 3584 wrote to memory of 4820	3584	chrome.exe	112
PID 3584 wrote to memory of 4820	3584	chrome.exe	112
PID 3584 wrote to memory of 4820	3584	chrome.exe	112
PID 3584 wrote to memory of 4820	3584	chrome.exe	112
PID 3584 wrote to memory of 4820	3584	chrome.exe	112
PID 3584 wrote to memory of 4820	3584	chrome.exe	112
PID 3584 wrote to memory of 2964	3584	chrome.exe	113
PID 3584 wrote to memory of 2964	3584	chrome.exe	113
PID 3584 wrote to memory of 1600	3584	chrome.exe	114
PID 3584 wrote to memory of 1600	3584	chrome.exe	114
PID 3584 wrote to memory of 1600	3584	chrome.exe	114
PID 3584 wrote to memory of 1600	3584	chrome.exe	114
PID 3584 wrote to memory of 1600	3584	chrome.exe	114
PID 3584 wrote to memory of 1600	3584	chrome.exe	114
PID 3584 wrote to memory of 1600	3584	chrome.exe	114
PID 3584 wrote to memory of 1600	3584	chrome.exe	114
PID 3584 wrote to memory of 1600	3584	chrome.exe	114
PID 3584 wrote to memory of 1600	3584	chrome.exe	114
PID 3584 wrote to memory of 1600	3584	chrome.exe	114
PID 3584 wrote to memory of 1600	3584	chrome.exe	114
PID 3584 wrote to memory of 1600	3584	chrome.exe	114
PID 3584 wrote to memory of 1600	3584	chrome.exe	114
PID 3584 wrote to memory of 1600	3584	chrome.exe	114
PID 3584 wrote to memory of 1600	3584	chrome.exe	114
PID 3584 wrote to memory of 1600	3584	chrome.exe	114
PID 3584 wrote to memory of 1600	3584	chrome.exe	114
PID 3584 wrote to memory of 1600	3584	chrome.exe	114
PID 3584 wrote to memory of 1600	3584	chrome.exe	114
PID 3584 wrote to memory of 1600	3584	chrome.exe	114
PID 3584 wrote to memory of 1600	3584	chrome.exe	114
PID 3584 wrote to memory of 1600	3584	chrome.exe	114
PID 3584 wrote to memory of 1600	3584	chrome.exe	114
PID 3584 wrote to memory of 1600	3584	chrome.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Users\Admin\AppData\Local\Temp\2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-07-08_7f3bd9305b830eda7fd829d1c1a47d3d_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2a4,0x74,0x7c,0x70,0x2e0,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc7338ab58,0x7ffc7338ab68,0x7ffc7338ab78
    3⤵
    PID:2372
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1912,i,17527776117402865515,11367785754771222785,131072 /prefetch:2
    3⤵
    PID:4820
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1912,i,17527776117402865515,11367785754771222785,131072 /prefetch:8
    3⤵
    PID:2964
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2160 --field-trial-handle=1912,i,17527776117402865515,11367785754771222785,131072 /prefetch:8
    3⤵
    PID:1600
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1912,i,17527776117402865515,11367785754771222785,131072 /prefetch:1
    3⤵
    PID:408
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1912,i,17527776117402865515,11367785754771222785,131072 /prefetch:1
    3⤵
    PID:2716
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4308 --field-trial-handle=1912,i,17527776117402865515,11367785754771222785,131072 /prefetch:1
    3⤵
    PID:5244
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:6080
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x27c,0x26c,0x270,0x268,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5192
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5400
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5480
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 --field-trial-handle=1912,i,17527776117402865515,11367785754771222785,131072 /prefetch:8
    3⤵
    PID:6088
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4768 --field-trial-handle=1912,i,17527776117402865515,11367785754771222785,131072 /prefetch:8
    3⤵
    PID:6096
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4292 --field-trial-handle=1912,i,17527776117402865515,11367785754771222785,131072 /prefetch:8
    3⤵
    PID:5372
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2328 --field-trial-handle=1912,i,17527776117402865515,11367785754771222785,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4748

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2972

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4884

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2100

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3488

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5064

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2112

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3196

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:456

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2400

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5036

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4400

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3184

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3980

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2580

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1096

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3724

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4500

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3220

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3760
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5684
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
2570b1f8b02d0e012f8ec163dee3c96a

SHA1
6c899d6a326ff69469ed40084aba770227f78923

SHA256
8b5e9f2b13c8c43ebe5acdad2154af89bb6703a6f243d37984c68a54444be788

SHA512
c5a8f3f3390977f6abfc83289f318f023d2ad1cc95a309aa45b84a85308caf75cbb497284b8a77640c151b4047585d3495a14bf298e8b417742e3a9a103c7049

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
9e7888a773c703ed2bddb2b5e15bc3cb

SHA1
2865f9541253e957aa50d46facc4dfc1961860dc

SHA256
baaf3884818321cd9b9576c248823e272addaa416365dce6d7877fea4b3e918a

SHA512
f5e3be7d919989a237c8e7c80feb1bc3422f40927450271d312c63386380d16605ac9df091c790d10df4f5a0d329d9a6ffa24c053f9426f6ab76d3420737529f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
c9cf8097f4ccd6875520750a4bbed8c5

SHA1
7a0de96966cba5a40eb95d9f80b73bd9ec38cbe9

SHA256
764828471b18bcdf029097bba1e9b3dfc905c2a3829a25fb9a568469bcb2ac14

SHA512
8c71ecaa23e37142293e46509008e5dd3020e377241e245087f6d7d5b96baa190f992ca19fac72f01cb131b1bf759478a5c2770b66e2b66a8b904dc57e1752c8

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
f4f4fdf4d13ac996096a72af72a3aee4

SHA1
9a1d2f62c004dfacd140319ac4bec6eb0a8761da

SHA256
510cf3491269e4658169ed38cf3d145901698ac313029f6741094cb46e8cecb2

SHA512
7c61ec8984365facd8012204fde61efca5317385638d3ed47bd9381838d6ffd2d7511a5d25b92bc9334adc75c6f47961a18e1fcff47f29da06a1ded01014b2a6

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4b67d506bfe220764e932b45e0178edf

SHA1
4043569aa8e5157d0f077db6c6c4b63615511ad9

SHA256
7a51d39145d062fb606de3ef3d0626618c9081ed63f799502d180a4996b0ce91

SHA512
532d964e67b2a5e55e12935c9899bf08421a83abea4dbdde44f39501ea1aae02f5bc1948f8917e8e5277ef3d852b55c6ff40fef481c8db9afb0bd770da09d7e6

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
dd65518f5dee9d9fa297d527d0db1d01

SHA1
154e98dbcba63bfa05ab32007a0abc2a8aa9a21a

SHA256
3af2a78b3fb0d085dbf89c9f57ad0379d4d80f6b6d3324832ad237fe39d827fe

SHA512
727ea571de4ab01f5c0eecf6a50888904348cffab1640ee068953bf8d81e31549d12c10eb269899f17aa3071a0e544c673eb696d14de843007e7373f971ecd02

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
d24f2b2a5e9175a7e5bc4caf8e6a5dc6

SHA1
d8234cd69fc4a9e70b3f26e832136b85eb819a1b

SHA256
43af889a029ee4c4310e34cda7d92a0014a35f5084b303442122bd2640725928

SHA512
e16199c99d3a10162b0ffbc181adcc66d7ca5c5eaf177bc03a2c6891423e7637310497263228b9359c5abfe6d0d154782c651df5d2de568d84dc88e4b605e319

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b39a2da4073556a105f79d04f31139c7

SHA1
01d39726faaf6751dfa8596515ac4c18641420ac

SHA256
fbe636fa1b93c00cada9564e954ae51131125fe16202b5583682c93992b8f713

SHA512
0f5b6e15397589161170f0f1a5330896b9d881f913aa5b52a055e99d2ff4388abbe5f6beb2ed9530650372882c7e22ce78acaea74de7e9c01c9e9931e93db20a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
656ae0b426a6d1069d3bdfad9050badc

SHA1
fdffc73ad86f49ce0bbe17b1f22e5c98948bcf7d

SHA256
734f4b98d88f512b84f124d24cdfab76eb866a8b21b661d09e8ac5ce92be86cc

SHA512
e6a24b883c4363d4bedf880451293e4fe524bc3ad9b7c24d4434313a354c32946bd9701a687a6d69c4e1bfa46ba94fd408c85b12f71cc671023e2f6e7c285467

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
92b18099bf87c981c2899e6d8b0bef6e

SHA1
75208aac6516f75d59a0aa77498c4d1babea80e4

SHA256
1a2533858096bb11dbb056a834aa668ed17c325a9e1af1047b7547a9d0788211

SHA512
7f3ca6289e873ee487f80d0e1cc8e8ca6eb10ef8883d98f21e428788dfc406e934e2d7e1130a4edd62fe5063d26bba8cd4fd67d801ebcf236987ef081bdae2f7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
16adf496f1540abdbfe76599766b9d72

SHA1
99ec063653faf5e67971befd86604bed865b7d5c

SHA256
c886213896a336b25bfd8ab8d2c02d231fe8f39debc45ef6d8d109927b1aa22f

SHA512
7ba32f8384b80e71300e19cdfbfe3d9a0dd523989a8e560be864cdc52fac8cba11d71f7da79ffcf4ff72a924490ccd334436a97bad4d9363e872ced489a976a4

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
2d5b6d2bb4ee1351556bf81fe85b732e

SHA1
f4156d6c2ed5156fdf4b7c5bd04c3ec54bfef857

SHA256
bfe11f6d21ab194a094e78da737537d6d906b260a0a930b1076434797162b33e

SHA512
7306b91cdb115c2ecc6ba944725900bed27cece9df34d7fa82784d22d63a6e8f737308bbf8c0ee8353364b1344a513c3e9cd378a9fb06b10fc85cc16ba5d1526

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
ebffc9864655a1f1c039ce7c1b657297

SHA1
ecddabddeef226fb96e3560e6f01f859eb424041

SHA256
8327deadee4f6a80725a66e76f4eb2456c23fc0783a3023e5c343a5ce39c03d1

SHA512
daa287b3eb756342a67e6253f790e3553227bebfaf39057f9e2ef05262fb564c3d399ed5d843190a35ec06177c3baae44c6599ff7280ada389553022eb04d736

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
ba2806d57c0c9934184cffdf1cf6dbfc

SHA1
3f0665f5fa307f11e8569f95ced0493aca252f85

SHA256
7440a473b22174a6a30a0fa2517c4d16eb31bf2bf905b9ce4f1679188af9420b

SHA512
1a3e823359db46dba1293f5a6563d0c0b1bcb90981a30e456649a536f6c6b4b3291edf9e3d4f42061df5353fe53d046c85b20a383412a020d898c54da9d3da28

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
a323ed355424d9e6c4d7d3b7b7612496

SHA1
0645ce22a451e252a2fc9d2c8ee208a8e03d03f6

SHA256
7f1367b97a1e2f2fc7035fabb264c5dc460dd9a081e056b094b65fb52b11d433

SHA512
ced19f654f120ed56cab00dc3e576b88157da56be9f0ecb4431a25ee83d5018bb79074fd5cc2b370c2e774c4d6e12f2ea62064b685523b97b08d9235378fc97a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
dc2de49bff35fd0832c5d41c90d4d4e1

SHA1
1b49564357509901b1771b93c54eabe4ba1ced3f

SHA256
08a7c35647aada0a69aa49b11b41ad797f9e12dcc5b7842304e42cee20b1598d

SHA512
57d250fa993c2ed560b2c54734bd459302fc6245b30d11b1dec17c9fc596008080ba3c3cb193c9f0d00c69d453180c5fdabd844b5e62bafc14ad988d4a778e1a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
f51ea7ccdf16aa712dde40536fe8e920

SHA1
770915e542b98ea112a52a2b1bf3766cb9baf7d0

SHA256
9f77d2237ca9f6f41eff683769d708cf7cfe965b7e95fd18744f6e18572cc3ca

SHA512
9398bc89009dab4e4329aaad451042a541a42faa91aff45ee38b0f2de706f6e252ca97536b7d29d6fb77e5e6e7d25d84d9b3d7f6eb6f394d83d6f9b7ebb58020

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
a0bf7a1ce09f2ddb512777df2dd9c049

SHA1
071533eb151872a26068421a2052c9e7f7c270b8

SHA256
b3b1732e17505636611d00b50e5e5a116fd81bb6d2c339ce83d7ae7b2c8dff08

SHA512
9d3f82f97925809bc5460c31b7a8efbc40b14da006dc5a488eef3ad1d47483b48d49939dc95539fc987264916065d6718ec6605dd5f047e6bd98f433329eca82

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
0ddff08091c8b77718716f1bd8dc21a1

SHA1
cf281b3adc72878b1a941b98d85d082552e598bc

SHA256
53bd172199fe02e2ad09a9f3729b1b9409e0472edab5dd21a6b3c1b9e497796c

SHA512
c1240793b762132d0abfdc6fbcfa38a8d1e41b4a5e61741d4d96751365582259a92ba37fe48d0b641b53ba650a99b20f88b3623aa2a138a7b45efd3f7b0e09ff

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
bb14979b6f5f413cbe3089c69bd7d726

SHA1
a9a8fb2bed286110ba483af5299bc6f4cf7a87d7

SHA256
55ac30980517a78982958d538aed3fea893bd8820b57d67503a6cfef5c882443

SHA512
adebeb880d5aada056d59b6b6fea30ddedadcc31a01524efb2ff54879ddf75e2322decddc5221c2aab2d29a333911c15f143bde1a887041d3aca7783abfd5ee9

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
7c88c614e86ec9185ddddc011b1db7f6

SHA1
9d50266596957bec37dbfbda3d6747aaf5865606

SHA256
2af3c57134603575d0d7e7e123ccf7d3ef87318cdf778aebda8b50376bf014f6

SHA512
656b495eefc9abcc304fe8dd1423002177e1253937a0f5fd4bd625adb5572745dbaec8d35cf06fb7403c7d1c4a68f84e8196885d1194cba260cb5a9c7ba1b75a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
5fbaf5d7e8be176c8afaaf213e32599a

SHA1
4d532c68b02f4fb1f0e6b4a86b00df3e4c79d84e

SHA256
57ae1529f91981bf65d6ee9ae8c1a21c1400e86a30e169a5083262e14f1d6c93

SHA512
8c8906ec32a48d2f1086cee192d6cc5d713ffae8515ea5c9a0ea73ef0751e2093a4f68f068d15f4bf7adffdb56e61aa3ef8a5d5d257bc534d8acd51fecf6fc9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
74f1c11c74d276fc4eaea05d220ceb94

SHA1
05092c8b28d06d877c26e507ca669b8d3e82b27d

SHA256
3b958a0f3182fc58b9f53b72680bc9ce6677f6f3e6594ddfb7b59d0517dac65b

SHA512
9243b4724a91c15670d38b2b2df9c020f73ff963d9a9615bc48d4c2f060caff0b878170ffbf1e3ac719f7402d7a1b4831c158769eccfe223d4f0787b78732c29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
e32b8750e8cd8b530f3b5233884e98c5

SHA1
baba8c1e8b05abf03ef9ea06b3badeadff2a8e72

SHA256
936784122ac7ff8ebabaaa137640c40f0d4be179ba7fdaf2a58d3f1a1841d117

SHA512
30429bb189ce9b03cf5b913be82473e7f6af498a25834bfe9a228116953909f1e4f58c7b8ea2e1c6ff5840745bc85033254362b30aaa3c6dc8ac5ec792f4f824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
83839a9524f37c5f090bbc1ed06b92b9

SHA1
24b6f45c124b146c8be9c618b21d11c96a8c3d18

SHA256
235cccdcd63ead34f9face039221503f8863a7d249d4a1cb604f017874dd3291

SHA512
ce18a9c1c06b42956fc9619c513ec8a5bd3ee48004f4f5949de15dfe858184c2fac120a4a38ada5af7787e7f7975c5f55d4637f93e2845fcb5feb00fe7f04b05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57ce3d.TMP

Filesize
2KB

MD5
4d3b86bde734dd4f78c7570405a9bf01

SHA1
fefdf70cb37b1caa044478c562bb462cdaf1239a

SHA256
a4020f53404ff5123245fe9aa42b6823608572ecd7ec60666a48cfb22c617dc4

SHA512
b9d08f86f9b303fa15ac9865e10d7c118412a696ffce6d7f2096f190f80464368306abacb2fc74f16d38370674f54894b1f87c5db03378ef1a43f5bbdf093d70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
b9b2ebb9d48f4747d6b992a56dab323f

SHA1
b39c3a8f603e8aa061bbec817a5bd18ac35f2261

SHA256
5e357dfc93f413258850398ad464bab3c1040fb2c7c74eec8517d2e0379c82c8

SHA512
0ee9d76d16f320b4fcd5194d09ec19acf55e68dbd855612b8e906b57ca92d45f20a55470fae78b89bb9e2147bd870da2cf8317699560383fbcf0aeb7a90d19de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
285KB

MD5
09b180f37d10f7ef35b0f8403bcd43a1

SHA1
66523b5c3ed0c822d179d713924aa7a739de933a

SHA256
f9e400f1a065a063bd2dfcb37aabfb60883e5b1fc1281170e1c12847900c8a75

SHA512
7f9a9f389a393cbd9f1f22c1bedab76d9121e4574d2672b5f1554f2d016757352d8823cd8d1f13defb8047f4908a094e0bfa8ae522bc8e4bdc8ab14262aa0c9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
adbcd06fdd2748e61030d493584e12e1

SHA1
efe228416a85e51e2e881eba82fabb5de9e93918

SHA256
1774eb74b5d6b440340030746d573bfc73396a38967644c8c7466819623f06fd

SHA512
234e9da872793dc4e1955ec60f17b08e38a159b0d402714ebf5a41e351af9d85f2c7530fb6eb0e2776b37d3c3e51abd35545e0a8ea8aeebb88a43da7aa534fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
0880af138357ec1c17c1c99ebf53dde8

SHA1
21b2de048105795c0e4f83b1293eb4e9528ecb99

SHA256
b7a71f3f8b491f878bc791a551af25697a46cdfc9a6e41f9f4fcdf6c549801e4

SHA512
4f800798ddcbbe8e362633c788a5f338df9afca4d49b65617086977c2d1be63c3f170f676c1f7cca9f127afa3253e4856c973bd777e9ffe509558d4885bd10dd

Download Submit
C:\Users\Admin\AppData\Roaming\32a8ab27a33ac798.bin

Filesize
12KB

MD5
e359ecc722fa98fed7d8f20fd94773f2

SHA1
2292444f6d862141520e4969b0eedf1eff708f41

SHA256
00dd2d2e02308e45d67a90e69029e053e92489f6a7c9b1f4bde45e332ac10465

SHA512
9cafe4fc2f374c4dbe20f754b777439318f4922e3421be1c18d518aa9fc028718e96b9709b2fd31894ec05d3bc10ec939147621d3e52e875bb846547d15e5855

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
83fb2603c424fd0bf7dbb80654f0d98d

SHA1
74666b6cdb259ed658f391b320a522b11725b11c

SHA256
4d92c6daafa7d725bc34913a4ebc5ca19eecb698ac67a16dea8d22a30b27d76b

SHA512
2f792e7ff943260ed85f93474b0e6a86bc59842ac570718751fe07febb4741d833426cba660c196bb0fd90aad6680fa77bb63509463a76718a769bf3317304d1

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
45cad8146aac9ff866d4c0c87a48d7d1

SHA1
a6e4778965b71b3d228ee9f698cce4f0777e83e3

SHA256
dc7a461a0c8d44ac5d19df7e623bde4790baec21a3def9c85408b8ac15c270df

SHA512
bfa4e8bbe1f30b559acb0466219d2101e21b85bd19d56fbc5d46c51b8b856a0b93803722d1abe0aabe92d81444fd038ac49554756d6083b995e8df65d29d08e0

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
3d2ed175a096aad35f4b26235ca0a39a

SHA1
9cc0d745db524d502c961e445e3b39d95f97afd1

SHA256
2234d70854f9dac9aee7248665f076991b8347098229f532fb1ea16dffcb9fd6

SHA512
f24d14877592c5ac1c557c1046da422009c78de9e3fb8bcea86643de0aca25cb1ffe2d7cf3d44bd96e2af3a0abe0f4600e7773ca0b4d4fd833314d78bf113f29

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
42fe6ad8e6a3abcda2df6c020df19c90

SHA1
c66a37c9699d7b22976afb011152d0181f5d7842

SHA256
69c48d9fd2c02e4930a2ccb070916009c711d22af2de89fa2d6e61086da4b594

SHA512
bbfd5274f6abfee75db9579a03b6c202cb8dc0fcc271fc9d034bad391064413360edf29fa942e6e3de5f3132949c262f61ae9bb0077deb61a273b06faf9e8fc9

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
ce79c56e40fc96ee922b8c02442cb096

SHA1
602e1988dea0a1ce68e56f3a1e187071119aa425

SHA256
cb85cc3e67ff61b8a879401be65cbc28cb75bfbbf8e583d81a6d7bd5a5479a5a

SHA512
a98853c1885bce80b4c45547f1e7bdeb301d5d5b4bd617c30275f26785a4814c462ff87dceeaadd7b3df5f13630036cec8d44955bc9742cc9b4abf0b116ed17c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
e914d204548638320ea7efa3495ce539

SHA1
6a25c4a248706766de0cc309749aa4d6b6b08556

SHA256
39614eee15f83e5719a1f134d87282b864b50fc70cb7bdb2138ffe1f7a2f2049

SHA512
dd291079b5fbff0d9e51c969d393d431bd29d76fc76c948f1f74aa6b2f1e14f3d372e4796a20e35c1a696a7c34a2e61ef4f72c19765a9f3c0ee175b6bb0f674e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
f4c529a9db6d5e8dde74e02d3db2211c

SHA1
48a597f1a8ef1c9738c247693e83a48e38536dad

SHA256
6a2abeeb280bf8ca0af7d4907dd4f204edf6e993a09c60975293399bcd1ba33b

SHA512
58ca027d1432d836f89599f46347f9ee564c9c3f4be17660ae62985bffb6867ea5e8cead69567b4c5464c72a98588e434fee09ad4481552ca39d7078d25cf99b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
0438d51938797126cb68d82c0cf709de

SHA1
e9ee2f2e1957d5f7f4e81110c96e1b451b53cea3

SHA256
59b811fe844c2c2338640d0bf3c9887542c8d2300da86aa54afc1e1e842bc0ef

SHA512
9723f22fdedf62137d93c76f84d04496de4bc8b0a0dbaa5d25489c71e950f3bb85461c909793f916f08efd84ae484e66b4b48194a0028456053a2f32202e0b4c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
41f683ff9f8bc2d697b1e39977729f13

SHA1
761de19a99b9933c4bb1c63e50ca5519fed50b79

SHA256
9bedf1a3d923409efaff429490743cf9c5b5653764321a5c549bcf9b8c126861

SHA512
d69def199a7f2dd7bf07e745d1cac756060add35587da5ffa0bc87b737bfffb684477541b31f335fbc4bd3bf50ed53ac5b4ed8a17799b771118f3ba1ffaa6042

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e7b29e1e3ca7b4d7c7c5d733ab578e6e

SHA1
b6532b66ba26ce4813e580aa253ef44f03b9ac06

SHA256
613acced2ba232606264969e67f669e44dfc3df60b62fd820cd61f6bfda6f3af

SHA512
066a0e1a4c7a987584c0bf0799bb52365b834d622606c5e79fc09625bcf77fa31d1a9bf1a7a1dce0d817525bec701fcb2275d3f2dc62eb397a164bc334d35857

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
807a25088e07bafadeab0967484e94e3

SHA1
b3a9924bb7c8334fb4244cd64ddd61a1b03484c0

SHA256
4ac02aba6c9102bd0f44af828fbeb37cf12de4509bae0bc5a57a7061a4a9a833

SHA512
633053b93b607daad92992e7c22f2e39d4d9aaabed3f9f3c5be6f3cb7579ea658b933186a36f117d3cbf6643fef0c2843cfb5b3b835c7c6fa397f1eaa4a24a2f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
45860a85c9c396696065debf01fca54b

SHA1
d33ec6028e899be73e8f6a2c35cd847e1d014d70

SHA256
a975fb2faaeea7f21706c61563a227bcfa02559c147261381c3e4897a04ccd71

SHA512
c9c8d90dd2e82924b48e489dc178071ffba636e3aea0d1811ac34db5fee5e2eb64b991906de6a734fb4965e7b68f764426753f7b8fda9a32d7f8034701a2cb49

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
fa24807d0746f22011c04745c875d78b

SHA1
244f66593f5e9ddfa40f8b20f8622438c23780f4

SHA256
ac16abaddb8ee6140e656697b4688bb629d20defe53cb75a85154848b69d37da

SHA512
bba2b3f082dd221b966ae43bded7e09cb08c39788f4e882eea6108d162acd49c31fe185b8941d845e8f85c46e2cd9619cdaf55f6906fe053e44e5f399cd03161

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
fd1026d45524a1c83c0c091e6d3e5b91

SHA1
34a5d8e18665af16753e26144293c91a07d65877

SHA256
05452ab4642e03b0948b95af2fb8814af9b3f34f154cd01b29f7fbb9c90d4cce

SHA512
ee97a54c56d0d764244f4bbf0bdb7a37a6c4fa2dc7eb99a1cb8f10690f9e403d279b9b7f4f44108cac80d1e870badc581e20e3cea6938974aed3bf5271ed7041

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
ea28093ee1387f780185564addd3b754

SHA1
71dfbc360e9ca91cd5966ba8a496dec229cf9b87

SHA256
3aaea02e076cc4ec0d6e309aa6dc03bb8822853c58480cfbb032adc5ec94cc06

SHA512
7f4053450323f9525cf47264cb8df1631eb22344b5fdd734c170f9a0b032db9b7871a62a172e28b0040623bce289c85c6de1c79d2a8cc97de732ac56a93d4012

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
36a7119979c4b4b7e8771ae3fa0cbde4

SHA1
02593bb0d20415dafb7a161aa3b0327dd07f66d3

SHA256
552b5ac6d9127c0a6a9a7a32ab6a2a9619f53848990d7335fb26ea2128cfd883

SHA512
1fd1156ed35f274976045b478688a94321a49c222c7fb7a0e99509c4cc6e04717a6db0aa1441aa3db99e66105b967f6af8b76425b78f6e6fdf557ae28489ce93

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
b3b996c592d009542508c5e056ae8f72

SHA1
92f79c7171a64dfa659ed1d14144db0da13de39e

SHA256
99c29048ec13bd48eece1b905833e2e94f8cff4dfe26220f51c7d837efc5eba1

SHA512
781d9fc8966ac444e05217c7d8148d12b8bef049aded03e664a1657fb1932d349ebb9487d177df15e806e94957d52cc900fa79d781a07c9f2472f45d37f082cb

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
361bd103ad358151176385748565c5c5

SHA1
cb60cff963acec7cf3d7737e63d30e15d6330127

SHA256
4414098db0602e0fe81e4d72faa82a7e0d0a11210981376036f43ef1277ad4c7

SHA512
b929cf60cefcbd9d92e11e8c11d6a423741b26fd58343ad9224e6aac5907cdb02b841dd5b4b6e9f3bc9b8bce4f7016539d3c1c0278b9347340a5c4492eecbb0b

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
f0223400e73908f6aa5fdb284cbfab2d

SHA1
257536928c8821d6d1e0bcd686b6123695c746a7

SHA256
9a2b8e721e3d715735cf5c1df5a158d39745e2f8f1e59d3d48fd050433e23d38

SHA512
964cb9394c9ed7a26e1ef20c559c4a5152974fabb79c378ee9f441b841ff1ab5669bccb6888fb64d7de4d6f52677e068a663452ce7572ffe0a2d9fdadf237a5c

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
4ef6e167bccef972cae45f90123b0545

SHA1
b07e7141cf80f8348de6a07ef66cb8ca9a8453e9

SHA256
6816c051e21d78647fd7358e20a7a2aa67e28fbc5995f79e62167d5cdaa104ef

SHA512
53e7cc2dd1c599141d6a8dc16bf641d6d34e173421f6357fb4903dc9ddf20e6323e82f63505c1e7598a7102408aec66355653ba17953d0c647e7889651f39429

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
a82baca7f5612dd4c780413382f40740

SHA1
282d66ae2313949118826083f81025f9f0f32782

SHA256
e3c6ef840c19f368027fe0e3acdbfa214067111a6aabc52a7d6bff14de99c82f

SHA512
f4212afea14b77cc15f0ce63edb01c766da9814481aebea6d21b4e223da8d33da95d13289cf0c1b3d79028ba7e695787aa22abbec8ddb473f5fed4655927f8b5

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
850689233c5e250969141da14f8a2ebf

SHA1
fc8628a0e02eb348cf3425c199298cc92e8513cc

SHA256
96319aa3389e2ee4df83cdaf9a4d476a23dcfce3600a5f6528c0d1058afc8823

SHA512
99cb8f30c0de7b64e3cd320b1ce08648478d53ab5a294390bd94c98e8f74e7972738ad13ca9ffe495df4e0397cf118ca615ba6db5ea5a9c8fb51f3de2e4207f4

Download Submit
memory/456-304-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1904-37-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1904-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1904-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1904-9-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2112-98-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2112-86-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/2116-313-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2400-305-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2580-312-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2972-27-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2972-26-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2972-642-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2972-36-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3184-309-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3184-505-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3196-303-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3220-318-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3220-680-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3488-69-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/3488-302-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3488-375-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3488-63-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/3600-554-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3600-18-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/3600-12-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/3600-20-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3640-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3724-314-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3760-320-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3760-681-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3932-317-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3980-310-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4400-308-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4500-315-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4532-316-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4740-72-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4740-53-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4740-59-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4740-74-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4884-49-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4884-300-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4884-43-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/5036-307-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5064-76-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5064-679-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5064-301-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5064-82-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5192-530-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5192-732-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5400-544-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5400-583-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5480-557-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5480-733-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6080-518-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6080-591-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download