670358832cdc68c9c441f1ac87c58abee8eb62ba7d93c5913996fc8e87205508

Analysis

max time kernel
150s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2024, 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
Size

5.5MB
MD5

b791f792877b96371c528910424e441d
SHA1

7ab0d0277273be20481584a495290ccd12bb6c40
SHA256

670358832cdc68c9c441f1ac87c58abee8eb62ba7d93c5913996fc8e87205508
SHA512

b0314b3d0af69600040131546f516e0776d1f8339ea2305d116ee6a964245628d061d58004b70f1475f3667a67dd10ee8cb669b588b49503e3891b823895569d
SSDEEP

98304:5AI5pAdVJn9tbnR1VgBVmF70uMhSBrkNq:5AsCh7XYOIoQ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
4976	alg.exe
3044	DiagnosticsHub.StandardCollector.Service.exe
4856	elevation_service.exe
3180	elevation_service.exe
1388	maintenanceservice.exe
5104	OSE.EXE
1408	chrmstp.exe
1520	chrmstp.exe
4100	chrmstp.exe
5052	chrmstp.exe
2588	fxssvc.exe
2708	msdtc.exe
3312	PerceptionSimulationService.exe
4120	perfhost.exe
3436	locator.exe
3564	SensorDataService.exe
2612	snmptrap.exe
3148	spectrum.exe
4708	ssh-agent.exe
3796	TieringEngineService.exe
4024	AgentService.exe
4408	vds.exe
4028	vssvc.exe
1548	wbengine.exe
4328	WmiApSrv.exe
2992	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5c96aad712041754.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_127765\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004ff6080bd489da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a376260ad489da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c195060bd489da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007047d90ad489da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a9a10e0ad489da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000057a6190bd489da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000810cde0ad489da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008583d40ad489da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000067fbab0ad489da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
3740	chrome.exe
3740	chrome.exe
1932	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
1932	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
1932	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
1932	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
1932	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
1932	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
1932	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
1932	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
1932	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
1932	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
1932	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
1932	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
1932	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
1932	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
1932	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
1932	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
1932	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
1932	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
1932	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
1932	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
1932	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
1932	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
1932	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
1932	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
1932	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
1932	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
1932	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
1932	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
1932	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
1932	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
1932	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
1932	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
1932	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
1932	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
1932	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
5848	chrome.exe
5848	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3412	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeDebugPrivilege	4976	alg.exe
Token: SeDebugPrivilege	4976	alg.exe
Token: SeDebugPrivilege	4976	alg.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3412 wrote to memory of 1932	3412	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe	88
PID 3412 wrote to memory of 1932	3412	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe	88
PID 3412 wrote to memory of 3740	3412	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe	91
PID 3412 wrote to memory of 3740	3412	2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe	91
PID 3740 wrote to memory of 1716	3740	chrome.exe	92
PID 3740 wrote to memory of 1716	3740	chrome.exe	92
PID 3740 wrote to memory of 3880	3740	chrome.exe	98
PID 3740 wrote to memory of 3880	3740	chrome.exe	98
PID 3740 wrote to memory of 3880	3740	chrome.exe	98
PID 3740 wrote to memory of 3880	3740	chrome.exe	98
PID 3740 wrote to memory of 3880	3740	chrome.exe	98
PID 3740 wrote to memory of 3880	3740	chrome.exe	98
PID 3740 wrote to memory of 3880	3740	chrome.exe	98
PID 3740 wrote to memory of 3880	3740	chrome.exe	98
PID 3740 wrote to memory of 3880	3740	chrome.exe	98
PID 3740 wrote to memory of 3880	3740	chrome.exe	98
PID 3740 wrote to memory of 3880	3740	chrome.exe	98
PID 3740 wrote to memory of 3880	3740	chrome.exe	98
PID 3740 wrote to memory of 3880	3740	chrome.exe	98
PID 3740 wrote to memory of 3880	3740	chrome.exe	98
PID 3740 wrote to memory of 3880	3740	chrome.exe	98
PID 3740 wrote to memory of 3880	3740	chrome.exe	98
PID 3740 wrote to memory of 3880	3740	chrome.exe	98
PID 3740 wrote to memory of 3880	3740	chrome.exe	98
PID 3740 wrote to memory of 3880	3740	chrome.exe	98
PID 3740 wrote to memory of 3880	3740	chrome.exe	98
PID 3740 wrote to memory of 3880	3740	chrome.exe	98
PID 3740 wrote to memory of 3880	3740	chrome.exe	98
PID 3740 wrote to memory of 3880	3740	chrome.exe	98
PID 3740 wrote to memory of 3880	3740	chrome.exe	98
PID 3740 wrote to memory of 3880	3740	chrome.exe	98
PID 3740 wrote to memory of 3880	3740	chrome.exe	98
PID 3740 wrote to memory of 3880	3740	chrome.exe	98
PID 3740 wrote to memory of 3880	3740	chrome.exe	98
PID 3740 wrote to memory of 3880	3740	chrome.exe	98
PID 3740 wrote to memory of 3880	3740	chrome.exe	98
PID 3740 wrote to memory of 3880	3740	chrome.exe	98
PID 3740 wrote to memory of 3880	3740	chrome.exe	98
PID 3740 wrote to memory of 3880	3740	chrome.exe	98
PID 3740 wrote to memory of 3880	3740	chrome.exe	98
PID 3740 wrote to memory of 3880	3740	chrome.exe	98
PID 3740 wrote to memory of 3880	3740	chrome.exe	98
PID 3740 wrote to memory of 3880	3740	chrome.exe	98
PID 3740 wrote to memory of 3880	3740	chrome.exe	98
PID 3740 wrote to memory of 3376	3740	chrome.exe	99
PID 3740 wrote to memory of 3376	3740	chrome.exe	99
PID 3740 wrote to memory of 1784	3740	chrome.exe	100
PID 3740 wrote to memory of 1784	3740	chrome.exe	100
PID 3740 wrote to memory of 1784	3740	chrome.exe	100
PID 3740 wrote to memory of 1784	3740	chrome.exe	100
PID 3740 wrote to memory of 1784	3740	chrome.exe	100
PID 3740 wrote to memory of 1784	3740	chrome.exe	100
PID 3740 wrote to memory of 1784	3740	chrome.exe	100
PID 3740 wrote to memory of 1784	3740	chrome.exe	100
PID 3740 wrote to memory of 1784	3740	chrome.exe	100
PID 3740 wrote to memory of 1784	3740	chrome.exe	100
PID 3740 wrote to memory of 1784	3740	chrome.exe	100
PID 3740 wrote to memory of 1784	3740	chrome.exe	100
PID 3740 wrote to memory of 1784	3740	chrome.exe	100
PID 3740 wrote to memory of 1784	3740	chrome.exe	100
PID 3740 wrote to memory of 1784	3740	chrome.exe	100
PID 3740 wrote to memory of 1784	3740	chrome.exe	100
PID 3740 wrote to memory of 1784	3740	chrome.exe	100
PID 3740 wrote to memory of 1784	3740	chrome.exe	100

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Users\Admin\AppData\Local\Temp\2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-08_b791f792877b96371c528910424e441d_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d4,0x2d8,0x2e4,0x2e0,0x2e8,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc23239758,0x7ffc23239768,0x7ffc23239778
    3⤵
    PID:1716
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1884,i,12374912898143200494,830159903344663498,131072 /prefetch:2
    3⤵
    PID:3880
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1884,i,12374912898143200494,830159903344663498,131072 /prefetch:8
    3⤵
    PID:3376
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2188 --field-trial-handle=1884,i,12374912898143200494,830159903344663498,131072 /prefetch:8
    3⤵
    PID:1784
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2772 --field-trial-handle=1884,i,12374912898143200494,830159903344663498,131072 /prefetch:1
    3⤵
    PID:3584
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2780 --field-trial-handle=1884,i,12374912898143200494,830159903344663498,131072 /prefetch:1
    3⤵
    PID:1840
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4596 --field-trial-handle=1884,i,12374912898143200494,830159903344663498,131072 /prefetch:1
    3⤵
    PID:1844
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4764 --field-trial-handle=1884,i,12374912898143200494,830159903344663498,131072 /prefetch:8
    3⤵
    PID:1460
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4908 --field-trial-handle=1884,i,12374912898143200494,830159903344663498,131072 /prefetch:8
    3⤵
    PID:4708
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4928 --field-trial-handle=1884,i,12374912898143200494,830159903344663498,131072 /prefetch:8
    3⤵
    PID:3480
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5196 --field-trial-handle=1884,i,12374912898143200494,830159903344663498,131072 /prefetch:8
    3⤵
    PID:4744
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5504 --field-trial-handle=1884,i,12374912898143200494,830159903344663498,131072 /prefetch:8
    3⤵
    PID:2844
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 --field-trial-handle=1884,i,12374912898143200494,830159903344663498,131072 /prefetch:8
    3⤵
    PID:3000
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:1408
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x298,0x290,0x294,0x28c,0x29c,0x1403b7688,0x1403b7698,0x1403b76a8
      4⤵
      Executes dropped EXE
      PID:1520
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      PID:4100
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x298,0x290,0x294,0x28c,0x29c,0x1403b7688,0x1403b7698,0x1403b76a8
        5⤵
        Executes dropped EXE
        
        PID:5052
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3964 --field-trial-handle=1884,i,12374912898143200494,830159903344663498,131072 /prefetch:8
    3⤵
    PID:4804
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2676 --field-trial-handle=1884,i,12374912898143200494,830159903344663498,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5848

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3044

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4856

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3180

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1388

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5104

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3904

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2588

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2708

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3312

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4120

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3436

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3564

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2612

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3148

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2460

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3796

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
PID:4024

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4408

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
PID:4028

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
PID:1548

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4328

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
PID:2992
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4592
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
3754229991a1b1583b0ce418e40de182

SHA1
522872ba47d51b687c22b0e4f9caaa7358687ec0

SHA256
45f53363865c72bb1b8420e41c149fe8d7d20c726d473622f73eb110cabbf822

SHA512
3f1ecc34f11edf1b8b35c6f8e68ddc8be30d4b0748cb2b97729f95a71965674548fe2dd79b3e362df293d734f054b123bad47e8a619d4dcd0262b80fa05b20d0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
5dbed9ff0f8920aab388a6e67246e7b9

SHA1
0ed2beb1af71fc48b55c71551e25d2b71d391842

SHA256
c8cd31c969be62303fd92bc2fd664c678b2446d94daf3ebe587154d97da91ee4

SHA512
05e26055b262e15618ce338afa645c0168a0f9070dd86412587d041ca54a21f192d63162e5b2004e2c65244f0dba33a1ca5b0b789e5b66dbab8d5c28afe1d635

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
b7f2c3cbe296851f5e8373a310e710cf

SHA1
aa2c87a149de282a3c88c256e56a369e1f731e42

SHA256
46d1762d4d453623bd7b8c2dd9f8ea1f0d034c059be0a4178646b2dc0b012b1b

SHA512
f758227909d49ecdb5fbeb1f9d0960f7e458c7a8663438c73b41a8ad628188a09201a2781336bb87df10c168bc42cb501245ad37ccd818470632132b01a3348a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
885bf148acf05b938f96f5a27543bd50

SHA1
5a034edb89caeec190a7a60b9e66631306dba6b9

SHA256
db7c510e3e2f3332e1fe3684e655b190065da3615cfa0073193a94e5ae696e9f

SHA512
311dbd5299021bb6c897dcbdbb3a5e8f26e22c3b20f4421c2b2b32c4ba3c15e43f2cfa3ce66b1bd43dad65d0a5cefca12b32ea94bb606b7239707dfac0b73954

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b64bdc3900474a0d0af438c5cbeecfb5

SHA1
ca1c3a8498b40a92f58d086aad8d7f5916bf262a

SHA256
f4a59bc0a0d5d57b59a1f729af0e3fdf588a51b417069f0266a92acce089457e

SHA512
0bfb63ad169ef7c57223f905e1466f9fcd4c5652537709933d3f34c27d10b6a4e8df7e49c86dec9aeea960877837a7873c4222f08f04adfffacc64941f4d839a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
b81c82b56f91d8073e69154dbc38a8b7

SHA1
13dc4eaacc8bed9e3d15e4c40e417a910fbb6463

SHA256
74c6824c441e372bd15c6315829b3ac21f93ffc9646a9ad7ec98ef1e32dfc73f

SHA512
f2e1ae8d25d434147577e0af7117a32baa3976571bc259a7aab0474357fe84fa3e490f45ee2dce0a34930e5b41d3099769ba9cbb5c38af57ae9a287584869ad7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
afbac06de5cc224d46bca82864414e32

SHA1
2c34327c96cdfa2b420484a70a4b23dfb43bbf2c

SHA256
30fe2d5f274b1b8f8660065140da4c12f285b52709711e0612420f22fff42e39

SHA512
ee42fd68df5d50b16274af1343928a743766c00f4f1074f5632adeae78b7c1369bfd12328ff70b720afe5a8552da5e12a74b40054168b2ef88ce42ce5c2d4d0d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
012a654cdafeb8da588e6757532c400d

SHA1
bae5ad4f15eac82ce2219f059efe62ac1eb939ee

SHA256
3741dc7c6a1288b0a6a77c1f5b40a02263920a2f442b9c62d91169f508f4bba7

SHA512
5d70a72ecdeb6347d977e25b468309baca0f4ebe37bbaeb2877193630361596fc93444b3668aa4461d67db4d4ecb8733cdea30b22c4fa510bb6fd8294e7282a8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
30e55f503ce4de516ff6439084e2cd9f

SHA1
c0748cba5a386e734af54524d3a0229081cd3245

SHA256
6ad5d366e28e10c86351bbd98cfe530e53f3ee2cbed79d08b212e43a05734b6b

SHA512
36608f333f7ceb5912fc687e5fb006f2fc2cd9275007bd1532f420722b331163ac3e1d5bd8011fdd2a9eef51527dfab37e1a83d609c04f0956edaf45f4dee81f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a960ec7cbe88fba826a4cc2b096f19fb

SHA1
c8653667e9647d9192e3ec8767e734bc56adadaa

SHA256
9d16273b5a11f4d2563b200ff8a280894064315a1c2028ffb852005c6050028d

SHA512
4d465c6c6806e45556a0104252d57cb7f9658c0cfe8b98d9c6dd8eedf9596e7d30b867008f6b0903dd33bb5c9a06df7ec746558ced6971aa1916e92c54ff3777

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
8fb88c1e09ee56d4476f7fd09f9c5543

SHA1
32d9055ca70458566d800bf330fb06c0254f78c3

SHA256
2572110b0e6420d7568896ae4601b926ce93baee3d4828526198fda85e5d467f

SHA512
bbc4c74e7c7d8ce6b3f15da1c50b9dd7c4c6a41939b7d6b02d0ec3670a5f5ff825ea36a4389a6d0decd509215365f023c1351da75f8cb673a0f983893be1eff7

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
5c8043843309a4b1e7f5371d4006bf9b

SHA1
0f5be165bd27cedfc664c2e1f02669aa5efbe91e

SHA256
2852b44ab84c687913590741b2ad647305d903fd2f3a5e6cb8701ae6e8ad4ded

SHA512
f4de33fbeedee6fed0fee5089e51e87e0393ce66b75b59ec6cd460779f0f1831a3ac3b5af326cb394c8ffba6c627481415722319311250d269799344fe30c285

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
95697d2f71b973a7428afd411abed922

SHA1
bbf8e1be99de985df7861400368484f40e74b805

SHA256
3fae4f6116a31f97e40b4fc38b1f195da71be3d988a8e5628f01bd5a4452ecbf

SHA512
425834d04d089ed0aff2249a038cc6364500d84b6edb20953578b42905313ff037f3fa31026bb3598b5318dc08084944b961f470f12e2a5af971164974aaf61c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
753fe33ac5ed17453300ba0747637bd5

SHA1
01f28ddde36434a2ced9827f1c0637c076769759

SHA256
1f4bce81df6b67b4223ccdfa56f1b7538e808b8a27e775d915e3eafcb433b4b0

SHA512
682d72bc17807c1efd2d7cc2b7c506dd5ed61aefd41461cd1dd2c7e06bfc2d70305d51b2bbc94592580968161f0282c9c7c17b663afe74fefb4e98d47c1962a2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
c4fe65ff8fe4a71b443dc50ac3ce7735

SHA1
a72e62ba48e9027b071a14629fbeb329f9719a4e

SHA256
c48d0f4c6c1b9ef1f021d07b397aed8aea6e60363730e090e94c3cbdb5e81634

SHA512
3ff8fa61c4e2115254e2fe497954ffdc92d7c359ac103983ce5fff5972705e8971cc853de5ce27630c1cd3a10487f277cbd2038c80adef69435a40b91a7d5c8a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
a82fe5436c2e026a12adc5ec18236330

SHA1
350d85df5889c896e622d76785d531357e2f35f2

SHA256
48d059a44d595be42c8c78c09bc592c65ed1015eb90b2a6159c02a22618f2e9c

SHA512
ee5f92bda3b414171111f0c1f2146974c55bc0f556cba9f82db66061cbbf5950865f93ce66f9c6351be62d465b5bb7b1013b8033c694e43cf5398b6bfaf5e238

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
027e622c9bfaa9799720bff85f55b724

SHA1
519c8cfc3ec56bc22ca32e5ba6efea8bf55e63bd

SHA256
94e1ce80b190d709b4bb0d3d9012e4ca17ecc0b90794d776378bcebec1425889

SHA512
9e513e5c5358e652fe3ed74fc2a39ae90e2281de0ca56b33abe0b1468786978a5a76e30c639b3b5c30aeecd4c17b0d2f99b0e634cac098704f9e3e7776a5612e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
c20462ceb3a6ce4b04c7b4d0b7ca3d95

SHA1
09f0ba2c28b46be62ec9d7b62e3358df96d20a8a

SHA256
db7fa92630576d4f275a7e6b71956104342cbfb4c362b8adbdf17c0051cb11bd

SHA512
87389112dee1cfe3bb56d82384ffd7dbe0b0f1c01ece6379152af424e68f1707d8c987ac5adf58fd3442cf376946cba9265cca3c113ac7971e2b46980a7b3201

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\20240408164306.pma

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
9065e56ea4febc7416782975fb088e0a

SHA1
e879da427a89025fa5d571907eb4a8707e2e569d

SHA256
5cf0efe4489775b2cdb6a4d6f4ec91d73d0dcf761886aa08a107c978847b6b1a

SHA512
40fa2dd40083c800d94d9e5ad37edae3cd15ce41ea76d98d7429a216025ceee872f4e14959939a4ec9abe58cc0bbd3265d16fc78a12a411120714eb53e8db2d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
b9a9e7e601cd640d5ba482f36ac074b2

SHA1
e9045a5a67d1f0bd685f2469c9ec2ed39fa9fc16

SHA256
434d18419619d5639861cefc0b32ccbc98a94f9c3764b1eeac46b5d7e9059809

SHA512
e6970fe2991b483e51da3a61f92fd95fcf45fd28c1128d8904119e6ef61ac817e3371d22c25c44bc2694a4ebef9be3a6fc93508a3912e21791950ba6ff875115

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c1113923b3a98bbb425fdac47980328f

SHA1
e89cc0b19cf2abf5aab16c24d75d1a799c26e790

SHA256
ab13e808806e1e7bcc1d5b0052dd518a87196a633dbcc4a1d11cb488b8b66b15

SHA512
b94bfdaa32f04e23946aaceef85c17d3fca505a0878ecf5cdf93f3f9a412413661f0d0f1c2a13e7cc578649055f589ed3d2bf9ca4adace3028b71976b4211b3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
31214c9390daa917574ef3cd63f03634

SHA1
aa23676a2ea181947b859217fd0bc90247c03c0f

SHA256
fb7d2329e44d6e89a1ecb07b210a1c539a8a2a5bdf37281f375c658790943ee7

SHA512
a19d972dcd5f32e786a8564c8f67e675ed46706f339f8b494a4555313f7f71d7fc74e8fe6a875072222d3196da01510d0ca5a8f19e9a6cf9ec70f240580e9d5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
cbd3eaa4173676452d12f6102c29ca0a

SHA1
6aabd13902983b2473faadbd0230549b0c6ee8b4

SHA256
64c04a3d1fe9020e3141b8e9cb122b514d6c13bf35679723715cb20e852d413d

SHA512
ceb3e324029b9c18d03d423d91e7df48ed39260fd4b174880efd6a40c8fcca8e8492cfdb1f3dace0ca2aae07b918f623f580e2ebc1f32c878c9e2ab509f65c73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
5cf1fca4c6a238ee0f87ab1269773097

SHA1
8eb874ce42f91e8646b9f824c961425f2f193987

SHA256
0043a8ab95fd6799b2e190071d2bef7261883c472b9d907cb815c896d6e93a60

SHA512
c8405316f3c5dbd7446d006713130c7c925df2d2e2c0a6acdfec9d2f65cf64f7ce07437605c6834c81c662fd8a25acf848e6cf561a223ff2ea5663a770426999

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
1f2093868d78a4032fa55826b9e17688

SHA1
d8ef3e1f22f089238765ef762c2abadefaecf26b

SHA256
360225cb0788d5851c4e932b2115026fc4b506a566f03805d474ad7f5aa85542

SHA512
21dec7ce98a724b22fbd55bc622d58e6aea9cddd42a168d544a44682e280a5eb135bf319dd719139ec94bdf5b5a5354f3ca6298c1fe568f1616c87b26cbfc142

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57aa0b.TMP

Filesize
2KB

MD5
5e5978ea6697f2fa98c178e1de9adb31

SHA1
684c80971107bca29162174963b983b678569783

SHA256
d42620a7fdbae714911a31c8722b263d71b711057f712de986f2d06ad8839be1

SHA512
2d136fd200b08a80134000fee154bb33bfeb21ff8fd345fa1f2c6a78b9560c77d3c8dd71fd6fd2ba33b441850108e599942a818946b06b3d9740712c5954025b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
420299b08f17468479608aa95f7c196b

SHA1
92c5ae9ebde56ed43413242335a6d2a91c716486

SHA256
c08390d0931d9b28ef43ea50bc156df5e1bf161984448c91b6a42b173b7397fd

SHA512
ceae91a54066873987bdb6e98b6d5351ece1409645dca8e2ffcd1e4bffcb0c65707d80ccfc54b0b77537b95ecdb13d2bcfe816f7471762cf06824c3440a85eb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
a371a9a485a10ddc749d0496d9830ea4

SHA1
41d2b610e585bd9f86db666efb6d35d826c7f5ac

SHA256
aa5e7a82dbcb3b8f57f6048d868653e89c73b7688b6f1a1b72a2d5c1781bdec7

SHA512
be8f0e46c40f4eada63350c71d4d534549c8148fe6d1e8f3edaefa23ecc616a4ac824f8a0496ce2d11421c70f1e8686544fdac8229f1a196f4449853bc320b74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ee84ac58-8e20-43e2-8f2e-e5fce5dca109.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
a57c0310f70b5d33fd4460d58f98f3c7

SHA1
0f2d3c86d83182c4ac800e775dc8e98b90453729

SHA256
aaa42e20b905a39db7e8dc18dfa43e71b25fa52d0f2844a7f97fd98ad5075e84

SHA512
7d1cc984bf1ba9262d6c0a86d62637fec7185bd8d317639c10218c62f9b741d8032f8b4ec4170584a97a4f9f7bb1548a6d14aac03accb100e164ffd03e826eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
d05510002a7ec8fd4d0dd1d1b9329de2

SHA1
4552e42963fbd00874f564f9af7912649830487d

SHA256
b790543dfc89a62fd4253933f4b4b13eb8f9b6b70b59fbf89089328a20baed00

SHA512
974fd100efd311b921c48c6a6ee1716b289785526c1da7c2e32d988b49b25b8f1f62a995f7004ebf032f567446d21c64f942a93ef27e8dba4ea688c1059f7944

Download Submit
C:\Users\Admin\AppData\Roaming\5c96aad712041754.bin

Filesize
12KB

MD5
3eff1350cb704ce281db1edc353240fd

SHA1
9b86bcc2e81b5cd874a4d02aefb97c2058301bb3

SHA256
aab031076553c7dcf19fd2c121010e0555da219dd23f53ada597a83648ce0aec

SHA512
2a74c4fb8717d96d53b314901c0548430599f19ca52bb69c5fc1549d0ffed265c0be3a22ddd895d3271a1fdf03fde0bf51e37393ee47d7a836641c254f32885e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
ee1bf91f2ee112c672b85f48a35068f9

SHA1
6070ef52af86e4d4f8e7fe0e667a956692da29ba

SHA256
773a5aa391abed158e9cb878c3a52a92217ff082a543d148c19d3bd11ff145c5

SHA512
e373bca642f0f5f47b1df1fec53c18765963756fc3fadfd56b76d17fb6d48ea22e5f6cab41ed793f46e70524280df1d629d201e26dc4baee665b24df5ec377b7

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
2a6a3c7d64f400714851bb883e278624

SHA1
a126e7f0c6f41b21e3e2bd0c155016a7b2b3d7c4

SHA256
2b566bb0ffe35b858245a807f60c42b6c38d02a32a0c8a8bc5eb4840f96ae4a7

SHA512
f6433ff66bbd29a6f9348f24b318a5254293a9696703148a047490355736861d11b84bdd3b16711f2afb0baa115e00c136b2cd2c95e8cb5a97e4d790730d8016

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
08ce4e4519cf674b5e6592eb8854cd4a

SHA1
a5d9e7eab65cb90689f8f48a815b45700d211ae0

SHA256
c61d18885029db99c366bf61f310f402f52c1d5ba52956d12753d6bac033a361

SHA512
5828b69083f0412fb25c02364a97d6fe229519493aee79898dc1c0229475af436c5840bcee08158de879ef508db86bb37d499a091548408cbc19197dc5e3911c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
13d49002022da1c211a2deb2d0b72aba

SHA1
84d124817b6217c6cf66f255382a612d8ad7ef62

SHA256
f7bf53a1a310d83302c49a34e7630f9a37ae064eb7d6db92aaad42acb93d20cc

SHA512
a50c20d7e1a2a813c3598a69495b764b1d802b470a9e011c647af6f84a417e384c6d664d4fc22db27574b320b29b4b6be184f9c5cab385781e93537f561bf696

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
ee7f159588edb3eb1327cc0ebb6bdc96

SHA1
4077d45c17b1db29b33b92c205e83eb1d31cf03c

SHA256
4b9cd54273fb84efbcc3b4bd672d0d7caa91a194584a35e7468094d8e9a52ef8

SHA512
0d387988fd17a047376a0faa90bcea9169b96b609455e5dba2895c05406a67012b6fe9a7ba7c098af44e860f5e750c7168480a871c89ee33189d3c0fdaed3f61

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
81d175a8d81d27c960b5ac181b02c96b

SHA1
f84fa22c69f9f23f56518a0db92963dd635b96f4

SHA256
aa6fc4747027a780b5146dc68635db3a0778874ba4528cb20c90b91272fd3929

SHA512
77715c4de45c29f74fe3a03691ab39124b23fb2c1626c37650ae93cf46adae9229d5e88a1380c473addfa34c4266d609acaf015c617889cb2191fc931bd76f13

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
282d6337e5bb467bc438ad6cc0463ac0

SHA1
f450c89846787d120a93a601ac74b46362c9a92d

SHA256
fc2f03ef664efd65c7bc5dbeeae31248c4291af9b6ec6af5066d69e9a928e06d

SHA512
25b2f0da2df7dd7b28a33e1c7c9177c9b4fcdb3e9e75d172c9ebeb02a43f5e0eba100ecf29f9e66ef05a53fbd8c7a611db083a1e2f40646285d857d6f1cf3ed4

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6f97d4411ac66f3dda4c9318d1ca2a35

SHA1
588b83c8c4a42de725eeafa1699749e222012947

SHA256
9bc683ab0cb1869c86e21830c42a2be4742f3e42d96657878b07be8d85549be3

SHA512
817d757a328535ef4d1be6a59a945843867bb652f302c3a57f9852b7b92362a84597f7de1abb957bea1c31364be5abc3ae5a460100eb0ae1c92ce648a8b680ce

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
557512bfbbb6c3c53d42ead9d140faa2

SHA1
ec1481d7fd2e5f79131a2edbabe1fb6ae2c02be3

SHA256
3ddb279e1529f510e1f8c7982bfec3010bd9c55f05f23b39c893e427914fdf4d

SHA512
1000cf4ebbe60306669d98a9e91520489e4cfd16a33fbf6f6b3e864815d71149b8aa5144c6adec9dd793432b3b98d41f40d8e39dc6d2f359aa66dc96602d1701

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
0c8ad55f0fe3256cc310e5dde1040121

SHA1
9e350e1dbf2076e4bea8d7c7578182577f519353

SHA256
be25d34a159dbaa1bada99e327d552f85b7b04280e2cee1c73578b69200f01d9

SHA512
c3af0effeaa21118f4ea351ca1d96072af55c750edfb3429d62d84db1eeda2c27d352631f14df16c1249320cc2bf30c557805d9d6fa18d66ec416dbbd3887df4

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
832eb189cd43d4aec87f24cf9f75edb1

SHA1
e3916550b71887814a9eb0d394f56248259b0fdc

SHA256
bcae7a37cb07ebd16917527e05fd111e4823335979e8eb3ecb3aabaa4102dcd0

SHA512
3243cae7b982f62f725b3c817d6252106b7350ee3c976138b55fe04a78ab85d86a737486d6f012ac2d5ef30990bb6f2d4e439514812b5aee245708a74e63baec

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
fe7048acd1669302118aa81ba346cd11

SHA1
b87d4f1eb3e5e7720cdc0adab6232294e2e1ed2c

SHA256
8374e33f50bcc5fcfa3380704988ad879e9675ea14540a2672dabed1e2f64be0

SHA512
ca08acbcfb5749646e158b53ccbb10fe2bb3f7e14cc43c710b50498d91fcf4ea2e0b00cb0240b04a2f0a0107c771cb6f088d662406f79ec445913dfb71466e5e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
4128801b7b6f84bad43390c2182ab30e

SHA1
1c5b14aaa7d50ed9a923dff9a163ff37a32f58a5

SHA256
86ddfb80d6a462664e6607b6c3cc63f01135574c1cd5e42098cabd155a9f4241

SHA512
73af790c8fcb636f2f923e5fdab2135f0c124d55e694587966724ba055009a2200c39900cc23ef59cb3c5b20b21a2f173557cdac89e12afeb0579d2800063476

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
8bf51245c384ef2ac44dbc257fd41380

SHA1
ea1ff5786d047d0dbf68a8f5b82e715e1b9e7d6f

SHA256
53231e1ffbf20d6ebb54b545a99c1f3dab01205eb0a1b67e661743cbe007ea2e

SHA512
1bf57268d9cdd60e47c5ebecde707b791e9d04c9ac8d02d349d38c0ef60d42049c250636bcb4904bace251a85c04f55ffdae0b43b61338840067edb05a67e72d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
5aabd214217d5db788e6ca912f53361e

SHA1
725bd257f2f50c3809a6ae6140f8ae518e8e0cb7

SHA256
854f4079a53dadab4ee349371ba688df420dd0b619e079dee7b3f6f6ca209477

SHA512
c549fd85590e90def376d9461788294a4e23a09043d4e172ce30e1a997c41e1b3d858e3a4450767bc7e75fa28eb42f9ef127d0c58b30006a03bb5f907c52e72d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
516b5d245211fbc56169bb549c4479ef

SHA1
0c52fb94754fcc660e2cdb715db48633a79d729b

SHA256
3fef7675cd3cdf77092998f3aa38a6038fd1579e50cead6ad32555bb497e2fc1

SHA512
c8490252df491df7a69aba722f0335f5f3e6742bb1905e7d9c5b8a1f8ed93a5ef4f8171f687b97f181f86fce16ceb432c5adebfd534665f34466474965215d45

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
bc7839f24e5f63b7b20ba48daa59a121

SHA1
b8ed7aae13f97612c5c0c87103ce068bc7b4bde1

SHA256
3f3e9b60d7eea562423610684d139a22999547006bd2c3be135201ecc6797bab

SHA512
05040a8e4bb25762b37c4e199be667c3b11e19674c0a7ed0d22a017991aab6d8d4b7943c08a90870a34705949bb3910e54a865698c754e2d5dc9a10a605e2992

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
79e9b98d335ddff07df4b5d55bf39571

SHA1
3af9637729d5c776905fd3fbcaa2623f3c3157e7

SHA256
9eb316ce1aa0e3a08bfc451f892e37f819899ec5627550aa582bc2a954e6a148

SHA512
248781013ccdba22707d3ad71661ced8fd692773266dc072fd30e6ce0138e5ff8e2ba718d5e019d24f8c218b3b1194fbd0f8d87a134ae5cc993509fc1059fbb2

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
304b2380e5272f6b0b2cbb196822f1c4

SHA1
7d9ecc1e26990b05260a6d9da8f7bec621f87271

SHA256
144f23fa6e3092e9e119ff7a7b4b6c8a8f1f9c7b0e2a44c5bdbfe51f7d21cd7e

SHA512
9956ab27a441d3c1167480d004e0eedfa3c6733b7d8ff7ef9281ae1ad5f41576dcf816587481bfab3d3cd2465210e8965febd0115b50e85902894dcc48419421

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
bbc3447717be5d5d30bab91366035858

SHA1
65770f9e0d3e713c8fbffef49293d33842f7bfba

SHA256
39bf7a75db0bbd8ecc527985551ed3894675013176ed36e37519cad781f3d165

SHA512
02df76a98d17409bd66016a414b7970a3c0aff8b8e21cbdbdae785888ab4192ca4356796a5ae1ecb5d5eeee2971972dae06a47d7bb0f7914fbf5c016c894c2b8

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
a22e8c213aa72714d5315fe88baea92a

SHA1
1ef75c420b86e2fe703d8a69e8c52498bd19d033

SHA256
0bf52a0d5aa25f0346e22198f0b129a6876efb9721f3f6ee6233db07e694a712

SHA512
ee81d8feba3a0aa4a8eb702f401923233478bfa811276bfdf27e7efa89ff0e6e8b40bb1d1a621ebdd9dcc6edbd2f8a2eaea288f63e0d5020006ed877d6d9e48c

Download Submit
memory/1388-81-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1388-80-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1388-92-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1388-88-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1388-89-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1388-95-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1408-398-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/1408-280-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/1408-399-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1408-285-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1520-307-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/1520-291-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/1520-429-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/1932-17-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/1932-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1932-30-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/1932-98-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2588-469-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2588-460-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2588-474-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2588-475-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2612-543-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2612-533-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/2708-542-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2708-477-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2708-485-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/3044-49-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3044-277-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3044-35-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3044-36-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3148-546-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3148-555-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3180-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3180-68-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3180-75-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3180-302-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3312-492-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/3312-501-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/3312-554-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/3412-0-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/3412-8-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/3412-1-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3412-7-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/3412-40-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/3412-51-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3436-573-0x0000000140000000-0x00000001401D8000-memory.dmp

Filesize
1.8MB

Download
memory/3436-582-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3436-508-0x0000000140000000-0x00000001401D8000-memory.dmp

Filesize
1.8MB

Download
memory/3436-515-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3564-529-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3564-520-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3564-587-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3796-583-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3796-574-0x0000000140000000-0x0000000140225000-memory.dmp

Filesize
2.1MB

Download
memory/4024-589-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4024-596-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/4024-601-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4100-319-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/4100-386-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/4100-387-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/4100-326-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/4120-568-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/4120-505-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/4708-570-0x00000000009E0000-0x0000000000A40000-memory.dmp

Filesize
384KB

Download
memory/4708-561-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4856-54-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4856-50-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4856-133-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4856-63-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4856-132-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4976-14-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4976-87-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4976-25-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4976-13-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/5052-332-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/5052-432-0x0000000140000000-0x00000001404F5000-memory.dmp

Filesize
5.0MB

Download
memory/5052-341-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/5104-339-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/5104-120-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/5104-97-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/5104-108-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download