c3f77b8bb9eff67df3e2e4bcc74a6324993a85d324f7f97fcfb5dd2aa607093e

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29-04-2024 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
Size

5.5MB
MD5

73273f01e4faca50aa8cf2f3d5faa22b
SHA1

35a91458ad29ac0f5611cfb49c7625e13e2a1ae3
SHA256

c3f77b8bb9eff67df3e2e4bcc74a6324993a85d324f7f97fcfb5dd2aa607093e
SHA512

eff0544395d7dca1c6d52bb0949c033524b8bc6af88c63fc79972c9e612468f3c9ce6a60a84d0e0ffbbc3aba00ce55c3993a222c7c8d174f759b465988da9e67
SSDEEP

49152:kEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfz:CAI5pAdVJn9tbnR1VgBVmI8

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2996	alg.exe
1372	DiagnosticsHub.StandardCollector.Service.exe
3800	fxssvc.exe
4924	elevation_service.exe
1920	elevation_service.exe
5116	maintenanceservice.exe
1256	msdtc.exe
4300	OSE.EXE
4760	PerceptionSimulationService.exe
1296	perfhost.exe
4420	locator.exe
3800	SensorDataService.exe
4588	snmptrap.exe
2964	spectrum.exe
2528	ssh-agent.exe
996	TieringEngineService.exe
5100	AgentService.exe
5160	vds.exe
5284	vssvc.exe
5388	wbengine.exe
5484	WmiApSrv.exe
5576	SearchIndexer.exe
5780	chrmstp.exe
5916	chrmstp.exe
6036	chrmstp.exe
752	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\bc024de45e51cbec.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c124c8032e9ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fbf589032e9ada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b89c9f032e9ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d45a4e032e9ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009bba8e032e9ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133588661324370265"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001cd063032e9ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e2cb33032e9ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000da95c032e9ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000de9468032e9ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e5062f032e9ada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009dfdc0032e9ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4212	chrome.exe
4212	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	552	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
Token: SeTakeOwnershipPrivilege	4868	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
Token: SeAuditPrivilege	3800	fxssvc.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeRestorePrivilege	996	TieringEngineService.exe
Token: SeManageVolumePrivilege	996	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5100	AgentService.exe
Token: SeBackupPrivilege	5284	vssvc.exe
Token: SeRestorePrivilege	5284	vssvc.exe
Token: SeAuditPrivilege	5284	vssvc.exe
Token: SeBackupPrivilege	5388	wbengine.exe
Token: SeRestorePrivilege	5388	wbengine.exe
Token: SeSecurityPrivilege	5388	wbengine.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: 33	5576	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5576	SearchIndexer.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe
Token: SeShutdownPrivilege	4212	chrome.exe
Token: SeCreatePagefilePrivilege	4212	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
6036	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 4868	552	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe	84
PID 552 wrote to memory of 4868	552	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe	84
PID 552 wrote to memory of 4212	552	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe	85
PID 552 wrote to memory of 4212	552	2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe	85
PID 4212 wrote to memory of 4628	4212	chrome.exe	86
PID 4212 wrote to memory of 4628	4212	chrome.exe	86
PID 4212 wrote to memory of 4724	4212	chrome.exe	94
PID 4212 wrote to memory of 4724	4212	chrome.exe	94
PID 4212 wrote to memory of 4724	4212	chrome.exe	94
PID 4212 wrote to memory of 4724	4212	chrome.exe	94
PID 4212 wrote to memory of 4724	4212	chrome.exe	94
PID 4212 wrote to memory of 4724	4212	chrome.exe	94
PID 4212 wrote to memory of 4724	4212	chrome.exe	94
PID 4212 wrote to memory of 4724	4212	chrome.exe	94
PID 4212 wrote to memory of 4724	4212	chrome.exe	94
PID 4212 wrote to memory of 4724	4212	chrome.exe	94
PID 4212 wrote to memory of 4724	4212	chrome.exe	94
PID 4212 wrote to memory of 4724	4212	chrome.exe	94
PID 4212 wrote to memory of 4724	4212	chrome.exe	94
PID 4212 wrote to memory of 4724	4212	chrome.exe	94
PID 4212 wrote to memory of 4724	4212	chrome.exe	94
PID 4212 wrote to memory of 4724	4212	chrome.exe	94
PID 4212 wrote to memory of 4724	4212	chrome.exe	94
PID 4212 wrote to memory of 4724	4212	chrome.exe	94
PID 4212 wrote to memory of 4724	4212	chrome.exe	94
PID 4212 wrote to memory of 4724	4212	chrome.exe	94
PID 4212 wrote to memory of 4724	4212	chrome.exe	94
PID 4212 wrote to memory of 4724	4212	chrome.exe	94
PID 4212 wrote to memory of 4724	4212	chrome.exe	94
PID 4212 wrote to memory of 4724	4212	chrome.exe	94
PID 4212 wrote to memory of 4724	4212	chrome.exe	94
PID 4212 wrote to memory of 4724	4212	chrome.exe	94
PID 4212 wrote to memory of 4724	4212	chrome.exe	94
PID 4212 wrote to memory of 4724	4212	chrome.exe	94
PID 4212 wrote to memory of 4724	4212	chrome.exe	94
PID 4212 wrote to memory of 4724	4212	chrome.exe	94
PID 4212 wrote to memory of 3596	4212	chrome.exe	95
PID 4212 wrote to memory of 3596	4212	chrome.exe	95
PID 4212 wrote to memory of 1960	4212	chrome.exe	96
PID 4212 wrote to memory of 1960	4212	chrome.exe	96
PID 4212 wrote to memory of 1960	4212	chrome.exe	96
PID 4212 wrote to memory of 1960	4212	chrome.exe	96
PID 4212 wrote to memory of 1960	4212	chrome.exe	96
PID 4212 wrote to memory of 1960	4212	chrome.exe	96
PID 4212 wrote to memory of 1960	4212	chrome.exe	96
PID 4212 wrote to memory of 1960	4212	chrome.exe	96
PID 4212 wrote to memory of 1960	4212	chrome.exe	96
PID 4212 wrote to memory of 1960	4212	chrome.exe	96
PID 4212 wrote to memory of 1960	4212	chrome.exe	96
PID 4212 wrote to memory of 1960	4212	chrome.exe	96
PID 4212 wrote to memory of 1960	4212	chrome.exe	96
PID 4212 wrote to memory of 1960	4212	chrome.exe	96
PID 4212 wrote to memory of 1960	4212	chrome.exe	96
PID 4212 wrote to memory of 1960	4212	chrome.exe	96
PID 4212 wrote to memory of 1960	4212	chrome.exe	96
PID 4212 wrote to memory of 1960	4212	chrome.exe	96
PID 4212 wrote to memory of 1960	4212	chrome.exe	96
PID 4212 wrote to memory of 1960	4212	chrome.exe	96
PID 4212 wrote to memory of 1960	4212	chrome.exe	96
PID 4212 wrote to memory of 1960	4212	chrome.exe	96
PID 4212 wrote to memory of 1960	4212	chrome.exe	96
PID 4212 wrote to memory of 1960	4212	chrome.exe	96
PID 4212 wrote to memory of 1960	4212	chrome.exe	96
PID 4212 wrote to memory of 1960	4212	chrome.exe	96

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:552
- C:\Users\Admin\AppData\Local\Temp\2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-29_73273f01e4faca50aa8cf2f3d5faa22b_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2ac,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffdbdd9cc40,0x7ffdbdd9cc4c,0x7ffdbdd9cc58
    3⤵
    PID:4628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1900,i,13996685690333677740,2152300267210957515,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1896 /prefetch:2
    3⤵
    PID:4724
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2144,i,13996685690333677740,2152300267210957515,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2156 /prefetch:3
    3⤵
    PID:3596
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,13996685690333677740,2152300267210957515,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2400 /prefetch:8
    3⤵
    PID:1960
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,13996685690333677740,2152300267210957515,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3176 /prefetch:1
    3⤵
    PID:3284
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3104,i,13996685690333677740,2152300267210957515,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3200 /prefetch:1
    3⤵
    PID:4872
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4564,i,13996685690333677740,2152300267210957515,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4576 /prefetch:1
    3⤵
    PID:3212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4644,i,13996685690333677740,2152300267210957515,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4664 /prefetch:8
    3⤵
    PID:1636
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4636,i,13996685690333677740,2152300267210957515,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4784 /prefetch:8
    3⤵
    PID:3356
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4544,i,13996685690333677740,2152300267210957515,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4948 /prefetch:8
    3⤵
    PID:5136
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4988,i,13996685690333677740,2152300267210957515,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4864 /prefetch:8
    3⤵
    PID:5628
- - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5780
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x2c4,0x2c8,0x2cc,0x2c0,0x2d0,0x140384698,0x1403846a4,0x1403846b0
      4⤵
      Executes dropped EXE
      PID:5916
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\initial_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:6036
    - - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x2cc,0x2d0,0x2d4,0x26c,0x2d8,0x140384698,0x1403846a4,0x1403846b0
        5⤵
        Executes dropped EXE
        
        PID:752
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5052,i,13996685690333677740,2152300267210957515,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5072 /prefetch:8
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1696

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2996

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1372

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4772

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3800

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4924

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1920

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5116

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1256

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4300

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4760

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1296

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4420

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3800

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4588

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2964

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3628

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5160

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5284

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5388

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5484

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5576
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5436
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5788

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:5136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
3b250a9bcf47239c4743cab349cdeaf5

SHA1
991d89015067c731aac6bd29a38dea8d417b4993

SHA256
722d21bd12b4b6e61bfb33b2fb457d997a02fb6c056e30deed4f16376920d67d

SHA512
34b09863a341f1bc0a3d202d524eb3e991c7ce0df6bec3c6c5b2b368ba5856b8d75e6bcdb6623d3ec17424aea45ed6e11b928ac700b8af347025305396e565e0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
6ccc5feaca3faeba78b8548bbe273240

SHA1
24ed95dc9c49f88e415a5cd5b9648180d32535ef

SHA256
786f67d27a97b2994eca57110b1bc397fc195975d428959f0704ff3eff600d9f

SHA512
0333ef905b4964911c262a139e59ef603f1fb600dab4a1838ee065ba8b1006f084df935ad3f643d0fed8786584fce0d469a342e58de42a545a47eaa782283c4b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
8b9385e79e584eaa6ca7593995bc59dc

SHA1
05daeed05d1a25e064a05cd915e231c49801c790

SHA256
7937698ab005ee28248b98b3e003fa3b69146ce3a07d99f21ea95b9bec4d2efa

SHA512
5ee58d0eac53b467f3daa9baeb4d6f2b1dc1411cf1f08288e14c973a49e8fa4d59ece420af2b1eb40b5726a599602e36c9d2fdb01ae9724810bf04a987a0a87c

Download Submit
C:\Program Files\Crashpad\settings.dat

Filesize
40B

MD5
ce62974f70b576caa3ed9fcda731f589

SHA1
1d0c5184dc4c8da23056954c4a3680561eea2274

SHA256
e6ae3c5fee0c7bad095050ae5068c01825c5eb2eee88fc03870b9a84eae80956

SHA512
0936a0a65cfd718f60cf5a0e82e050d3a2da7f38d2aa8ac5e262cf3313a95203f512277dcd4a058b5eaaf11b0d6c7e34be079bc34317287cc827d1dc04539f2f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
ec5c97da23025eca07d5d3e6613c9636

SHA1
c55a5ae8edfcabd883588498fec0a4890e181534

SHA256
f5b9f100349a7503da65a97dd8035c3777992c61df027a551fbb5d76fd73c71a

SHA512
7cb554aa1dc1ba8c74ae6a36ebe05e85805ed424aa30e1e31160e87a9e2f6c1d36ed43cd6cf698449586a3794e7955157d7680c5d958715ce4671c78818198e2

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
145ce1be324c2989c5f20b37d58032c3

SHA1
45a8c0af4d6a604f5e49a0cd4eee9b148cf2782a

SHA256
d304ad869a8e37334d2d69964c14eafbafd5aa4baddb21c8d17e915329636d41

SHA512
d5257bfe2c2f1cddfc299e058ec7a50baf2306ad11fcec9f5266aadf611b32dc968b57059bebc63781f5b35262b302a22ecbae7c00cae065f3da21c24d95f0c1

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\c6752323-967b-4b23-be44-333d43b12eab.tmp

Filesize
520B

MD5
d7bdecbddac6262e516e22a4d6f24f0b

SHA1
1a633ee43641fa78fbe959d13fa18654fd4a90be

SHA256
db3be7c6d81b2387c39b32d15c096173022cccee1015571dd3e09f2a69b508a9

SHA512
1e72db18de776fe264db3052ce9a842c9766a720a9119fc6605f795c36d4c7bf8f77680c5564f36e591368ccd354104a7412f267c4157f04c4926bce51aeeaa1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
4028af5310a118bcabdff1e28f78e46c

SHA1
236e7e367a8ae143ebc97c611441424ee227e8b2

SHA256
de0b319ba70ef55e6d19447fca84656a98966198cef901882e558b1752d1033c

SHA512
66fcbfa84491fb007c0169a7ed968b0a2e5bd2d25979006b3691463ecaa38dc38884502a703622752758eaa2876b47c3f322ae3b3f07c28381e68ecd80ba6698

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
961d4845317c63b59b350002363f0647

SHA1
9aef8797e2d1c2c81470967b62f5bb0eb5714dfd

SHA256
f024853f252e361cf83b528faacfcc85d4ff8525d2aafc5bb58a16bc7569420f

SHA512
83fa06021f80a52cb3e438af3077f028699f79550acfd85eff60801c44e024584f8ae09451a12a1169285aac0a3222538d6e7008cace7f97c66ba2ed13069cc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
a8cf54419129b874864cf206392ece0f

SHA1
2d8f78e5d6951faedba3257d5794227f34c50967

SHA256
b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f

SHA512
02a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
4f90869ae37fb0722f5486379ca4e5b5

SHA1
81456aa11324ecd39c40bf22fb69a88d3e5e80ef

SHA256
6064e10977ab228dc421f8bf8820a2dcb69aba5aa5fdf52df9d25ab39fba38de

SHA512
552fe944ddea99fd07883f664ee7ca8310aee94c2d3a821fa68b64076dfc1634c499e79f0347093a126c29595912dc063978b884583d74bbd65b8213fd6af6e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
a4af90358d2cd987461adba4fe36427e

SHA1
5015e236224e2434b2885885f158edba58726ed0

SHA256
ca90fd1f4af26504134a96456dcc4ee03d012fa5ab2f7383c3a131dbb6048538

SHA512
eb96cf9b74503708647cf4dd73957a9ead23d395699fe62a755d7fcdc79945b724b22586857e47cdc8f1f25814c123ba22a6446f0d36b990fd50fdb5df8d6120

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
fad5afa474f7b634c7361010131e5f48

SHA1
9c11692142042f175e71295df8c6656e6697c2b7

SHA256
ef911d75a4bb8ac09f089aa04dd8beb10e5a73c7b0caba069cd81c05062d4e7b

SHA512
d706cd9d082c8807eb22dce554bca90be814b7eaae076da23974cf5122e2daa46a449b1bb9b7b3ae89026152f88c6a5b2163fc0625c0a9ec297609c193ee1729

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
13d1e1bd5e37d82c515606f3980fe1c0

SHA1
d2b4d7c83d385f904070b9e86146f85bc66ed76c

SHA256
0d9e438759012682fafd53290071e55770d1aeceee0ca8b14faccc6389ab323c

SHA512
c4a522d2c63f7cd1841afde3538fb842a92204473ef975a3e09ef22e99a1f889c95bd382585e70ecf57aca55838466fdd65b2e44db1fbd2fefe5b874730a62c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
cd2542591873d0359631b3071f324f26

SHA1
9b3f2b3e1d4d76c5ac2668a9177a8687758d2230

SHA256
66fa294116137df7773da0716a356bf841b50a107068e4c41694c170f2fb2bd0

SHA512
c2f040efd84e1d5f13f6df003a60aef6cec992a124390c2b644dddd93319616b61d7eb648e30bf14d194320cedef8c63507ba95130f87d6442ff8df0402b1562

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
c26fb2c4e1c6fe08f9b897a5069efa49

SHA1
1b4a0cb32f67e705a05e9d2d16045c9f1a01fc1f

SHA256
761558c985917236c6b76b84856d3e1190d0b37aa987e2ec0260cbb3456b249a

SHA512
2904e68b52af1383644b07c14e958eaf330a36d4850b13e2280f39d5ab8cf50cdca7be65292b081156269bbea9a01b10e7fe77843ab0c2faf5c091bb2783c3a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1d6fc1c97ce655c2cc1d83a8c19be287

SHA1
d2728facaf0766d1706ec6521fd38c0d8a475991

SHA256
4db31b5587a6072c8486d400096de728ffa2e0dc7aaa7a59b258980df0c06eba

SHA512
f1421e59cf3292d0606e3e77ab518af9fbd67380b29357037457bab81c5ee248ad1a83e45a20b19aaaffb6c43cc5d2ca500f3fc92d78e8c4f3ff2bf875e73cd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
78bc810273e9342a0b84f87ad19edad0

SHA1
7edd97ef3a02d0c88bdf095b34450155ba73afae

SHA256
e0117bb95654307095ae95dfa11bf8e045934af2143d3d7753167349efb4ef4b

SHA512
0e8d53965aa1ec458044aaa28ac9e9382feefd5562c665bd21d49d6992cbdeb24914b6aa3acdfe86c0eeac64030edb576c295dd1394ea1a15d13f92c7d07c5b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f601bad71c1c0b01603203780c1f1320

SHA1
8a8bb7ab19ab84499f66b42af999cdd16092a399

SHA256
460757adc9ecd1129cd3ae9dc7787e434b2acd18804b9cbe2c3f921312d261ab

SHA512
2cdb0d4500b33cd5a2bb73c1d54253698da90ed35eae7d09129c415b44b1664ad4824697605b9cfd1e1a773fae6da537202e0762014337cc31521abee18cdde4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
b712fc097afc584cd260fad43f7ae434

SHA1
6935478f066ad21e21933963601b0f29d66a29e6

SHA256
4fd004388509233f07ad775111450176bd182461f71c7933933cc271ead4c9f0

SHA512
797945fa78a104c350b9f580efe67e4ec417d992e688ef60f248198ce797c02f379b7d60fb27cf106d003fb170fd266f2c084bb3e7632eca44ff26fcb18f9e45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
936ef14907566d1c4820cb1312ee95a4

SHA1
9e92f456d2aff29f45f477516195f67bd30682d9

SHA256
0d719853ba46cf7b8320ebc34adc48f330f02b469012a0129dac05e1211ff55b

SHA512
88e649c53f876025a7b1b7af9c792a29d08153c2dab5f219ff69a77a2116138f418d89d3a51db418b8ea81b6866157c1267c747f1753047b2ab10dd42c891343

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f8686f4ef24bb75a600a24d7a89ad5db

SHA1
22d62282821ef804ca1134ebc117a47aad4f8de4

SHA256
0178daf9288931a86f186c135e8dd43be1f640c60d21eba0d246f245f86bfbe6

SHA512
c48934e7f8a99aff61311e7294a53891b4ce9f0ca3cda482ad0e06f608629e44d89610cf726e09c58421270ff8447bb2a975485d9827c0e663229d7f49f102af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57663c.TMP

Filesize
1KB

MD5
a9e4fb16ebc1d3de6757b487b831cc45

SHA1
0ead6e58650cba57a28d3c3dd4dd2b30e81510f2

SHA256
b89f59dcd0f69acdc7ca2b21009bdeb10dd7ea3489eeafb3427be2e9292b17d4

SHA512
3025c8664efd390c488936d726e91606c8febf2d3ed9d5b7996223f102bb478777142d8e2427c4d21e19d61ed7a98487eb93d7f00c2fd22bf23078807f7611b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
404afd7f7c345120943fd4c97b07ccf6

SHA1
833b6f3af2e40c776fc39a4a016e07a98af12f4a

SHA256
8029c8c5b786739b6d609e4f07f5e4b6b1c5e2fce81178d9020eec654036191c

SHA512
dc9d4c5453ebeac6ac8c4c60c524cc54577437fa95ed2bf90f4931fa79f5d58f3bf2575ddaeb8f7b97975205591591670bce23136ec288e2312b93d2c8dfdb03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
88a5ff6b6f7285edd4944d8a1bfb9202

SHA1
ec6157cc3ab7c0d0cc4ba5e7e3dc00ed0aab39db

SHA256
02379435ce6ac73146e305db5abd76d545ba0e2bb4a9ef33e8c1b357fd323d4b

SHA512
ad15486e1eee01ee253e0e2e25767917e508c0c3773dd35b08a99c1aa3ed0b9d24946902584e24843023f75c6fab15c62b64dea9c0d096a5591a95a651991777

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
55b1b64d162c1aba4dc5ac3c8809da8a

SHA1
6377a71782a28b2671abf0ac6507fb6047694dda

SHA256
b55b57954919a043e6ba093c6bf31d963800b433a08f6d72d9ea317c1d409920

SHA512
5a9b10f79c84bcb489fec9af7707a7f536a8782cdd04b97fcd74ded1d5fd7b45d159ca60a1a45d8d90e78b174ea11889fe95421bf0ec6bb8d138f5f5724f63d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
42202d9c5501263a0b96d73edd94f58f

SHA1
d33545adbd19cbe4c117a6be3e203a2a2b53819a

SHA256
495d42cd94da31e5f373c70e9bebc30a8ed3b44d2a947cafbe134640a033e0bc

SHA512
185959b67d83d97d2b83ba401279dd39d8d50872b548170e14f2f2d02001e448b92b086f9cae5c745dc53bd86a7e2652bcefb720bc364d97765512ea036e0099

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
2db55bf95acd2a50b6e030ec129f3f7f

SHA1
426566e6dd229da892d426bde6d99f8fa99a7430

SHA256
d9554dede9fc9398f84b2aa8a80dea91899eea75e9518a29616924cf54dc53bf

SHA512
5f5cfc9d5676c6ec69b65277627e6e92ea4fa71f42eefda794e438100161fe8a1316d432788c58586ec978ce328ad5a0a03594f5c240905919e4e61341e33c88

Download Submit
C:\Users\Admin\AppData\Roaming\bc024de45e51cbec.bin

Filesize
12KB

MD5
6208ed8a649439cb55b232e540f84a9e

SHA1
1328cec2003bc708ce8a20573a43171b89e057b2

SHA256
2ed0ebbdeb6c5f7c2869f80a9089423b72dc186821a6961478078c8b6825bba9

SHA512
086e10878f516f2007df2903ecfdf33630def45c3758fb1926739d37b1bac8e668b63aa2ba2667fd9b48315cdc0c28d0b8d183e7dc67dbd14d0e9c1abdfec611

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
9bdc23d01a1de1f9763197f88aae4068

SHA1
a756f68405c5f17b8ddee92c3d6dc5bc1940919d

SHA256
4b5e1499a84639005fa6b237db7e2967839ae525e1ddae5d641b4cd7298c721f

SHA512
63b7ee9800931a10530d0ea7fbbe0e84f184a173b8d54934f81b6df94c7174896e2b0abb96818355c99db4155f899a8e09e0e1a02e9852dcc6a988d3657ccb29

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a257c2a8722d6bff9bfbb81715f40959

SHA1
aef1f0e79846effc08c6e6b1cf3256d685547672

SHA256
ca41c6049838f9cac30e45aca7889c6fa1cf057e344771f1fd3e4f5d6a4a95fb

SHA512
a8f2ec95aa79ec3b3c5923c30b968189b9976e7aeff7a2947446adc959b11fb0060ea46d5d436b65d824bb230a6e47e8ed70ebb71dadcca9a2a0e1188751d130

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
74f4b454d42bf15812d1a3b9c8c44939

SHA1
618cb93a2ed8d858977321d0a282c573c2ba2bf5

SHA256
07547c1759ae72a9c03961410a0727a2bbf01e8353b71c9aab8271e26e647cb5

SHA512
7029a59f1ec56b81908c8853e06321a50683427b4d802d2c63537985bb62fc54916e1bd12357da91e20d44cd95fcf82292ce69ed556b598c35da346cbeb01ec8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
7a014ed4b4de6d3b62aaff99a780d103

SHA1
18c278a1de0c71ae7c7bd47cc8ed085359e150ec

SHA256
5a827f02b95b70bd1fb03791cd7d7a0298897dce1b34ee0b237d77584d853d40

SHA512
9cf7ac04b6288e2e29ab97f48e760185562f49c72f7e05f0446d30932a8cd14cf0a807a62f4f7882044dc2890e5713ff68196045132db8b31fd321cb819767e0

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
134734b89d1dc14083a4c0fb85de58ef

SHA1
f3aea986a4ac25f2502e918b22fde4b084d6ed21

SHA256
b9e419cfa6f737610bb52dbcf242ca89cc4d03e961cf378050ec8ba74020e119

SHA512
bec6bc7a3e137835909cc9e2f16df788f9eb37826abbc320067a4b725e75f954f68108c540e81f4f41aa88ff6eb19cc74914da487690d4d4ed34106999ba94ce

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
68f867540bd9ca1951f6b351c22ec8db

SHA1
5dcf96ec222528ea3c309bf6ac01ec49427edfd1

SHA256
b22ac0f1b1141f78de019d45fbafd8c974c1845a852ea35a0e68bc321baa783e

SHA512
6ac4948bbe711eda123f1e74ee6259507b9de3ecc92daa03f9bd7ce5b0ecd7923b0f8b999d70a83973575a2a399e03a43520fb21af169361cd7700b86255f30c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
9951048853dfc7c9183a3b1e1dddc4dd

SHA1
35daedd66858e07b982a2f6f95da5501bcb87d79

SHA256
fdeaad6f7d23ae84abec26232998e5c9efc12d9061e8cd2b31ca32fa91f83e73

SHA512
8ee83b4d3d18f34baa9831f7cca2c6e53cb4ce7ecce80830be8d7d100a254368c8a8c73d8919d54adcf17aeb68bcddc1318f8f3f4319256b79581835db94f5b9

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
619f79f3e1fd4fc75b59030c677c27fe

SHA1
5557db183bd3b1e2ced1f23900fcbf4747c4c2c3

SHA256
39627fbecc4ddabda8074953d86fb2f7cd668118e86d277efcf3a093ce0e500e

SHA512
71b7486d3f78cec3954b66b104a207d272870e5bcfa1f895eacdd1ac542fcf3aac3153648910104c9d071bb9aaa8ae2cb2732a9430c278c499ac48fa1f4bb816

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b6aa6deaaf262ba8e561a9687b98c858

SHA1
1df08916f9f2f529028c46f7d534d89977265189

SHA256
93f2d533b12c5b07d23788e9cc94e3c0a3e3abf257f8c5b22899b07680f54aa3

SHA512
8c86dbe3f5ca8b26b162c56d29adfa6a0c768bb8671270f2e5224a1f50886098ababa5df361af6af898e372e1ae6e1ac809c70bb09d2af6e5bb18266edf03203

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8fcc9a43c6715c4a5acea044a47ad717

SHA1
bb26067173bb79ecea0771c9741a98fb81c92662

SHA256
e6a399adc567a36fefd25bc0869d65e021df21f7c045d284bac70d32a0dc60bc

SHA512
b8a6204e348c2e44209fdf5f8610655b25c00f066a64e43c7ef2ec2d456b649f3cbf8705c4eb32b27c7d4bace1d22c9d4a2499bef19bf2cd1484b00c0e555c96

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
c4bbefd8b9a76e5df97faea7d55c8132

SHA1
7acce04a6088494f80413b3dd5f8a450a1938b40

SHA256
fbdf57b57c2cd664abe4b21fc87de55dbd3f12cf31aa9a2ecf9dc147017d920d

SHA512
579b6c9094b89576bf8b48c021ca5f373268f6aa15eb7eae8969f5e94eb191407c7fa844ac87b1305d10b5ab9c3c91cf4a096bb9af7c89a4e8b73d520dcca34b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d7da6678d794a885f627257169acd2ee

SHA1
250714da3575546cbd45c6fbae7b4f2b408df755

SHA256
9b9eb4279ccee03b16b48f9625b189b65db1f27b7d9a2c1e794b38895ef99d57

SHA512
f647a3fa76a5b4b7a25308949d1dc815784e17eec412f50d4e1c7c4556000e3e8dc83c8f2b44603a28896cfa9746620f7447fbd0a859cf206be2969396348c06

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
ddd531388598a629b67ddd1fec0de1bd

SHA1
bdf22026b454d43c7fb259ac23372a33e3e86d9d

SHA256
71750f8454dc4331ab9be26335366c74e4df605e41da0f3d119181a590e8d358

SHA512
6f03efdfba5beac27245c6be8d396d3960c94f104fb79e6cf240b443d6f8e551f9cc1b800ba02ea0de33dfc2bfa474b96a6889cb56f4b89c2f4defca43901910

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
4fb6eb97081e98baf29829d2dbd56a1c

SHA1
2c90d4a0d39104fac04dce6bc84cbe8c73d34291

SHA256
2dc7c6b85f0c5211cc46352f7844b6335e25fa7bee7b83a07eef5a1416f86855

SHA512
45ecd5c0fb03edf8e877513c983a455be226b9b7c2634badd7c0379c8478cba898ae28204b81659fbc0592345ea1e23348bdfba771c8e6b76dab38b79188ae90

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
3945c1ce2d345b34b590fe2004062bea

SHA1
494a30d38d8f05a6e8b4f074d27b98eccfe7dda1

SHA256
115871c522fd35244d590fb3cf38bf30d2a24b10c0f8ed1ef63ca25489884003

SHA512
045af1af2fd1204e79f6b9026317a1f2cf71f8048afe1ccdf5c2f3b2b5c5a6c3034dc41b2fe342d5e638c0194e17079a60e165de893b63a0b0c51f2b732f9054

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
844503ddf53a27bbb1c1d55f331805e9

SHA1
17e6b38520851f12430edbdd8c20bf950bb8cfd1

SHA256
ceb2669552c0ccd1d351f0cdce519cc76807413e0f3e849b0331c57b2d709135

SHA512
51974757a68d187b9d829b63b9bec5f48f726ac5de1442c309c51146ab5f671b48655e1fb97f8cd340e6273e681ff701f5d65dde34c35be1866211897faf43a4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
47d19dff0f4d9bb26bffc9b016b70b5b

SHA1
6359df92e05c7ca0c80837a08c6edc2e1a135d2f

SHA256
4dd992cbe9210ae809ecaac5bef8945d8e009acd7d6c05763a1c40b21715f769

SHA512
b803c8f9de935332fb5e740ef49ecec442402c942a7c38573aa9220b5e9a090168f679b59d329dd4ad3345bff8256f743b9dfea62c9b0d54be13297b5922b0a8

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
53f9efda325ea07a049856cbb1cd35b1

SHA1
d5c7905df54d32c084d272591dfbf00ab5e6d06e

SHA256
82a2e98cd027e8ba42c40c66122ef0b85381a831c8fe80d62756b44d355c1365

SHA512
3a93f7aada3bf224dd5e6602c9b4f56c18d9f68732767d9401d04c99863688184fb15f2a1daa3d6d92ac0e6b44441f6bfc36ee604658b9f4a2515a6423f1416d

Download Submit
memory/552-22-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/552-40-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/552-0-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/552-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/552-9-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/752-551-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/752-739-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/996-254-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/996-717-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1256-257-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1256-113-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1296-161-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1296-340-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1372-172-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1372-45-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1372-52-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1372-47-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1920-87-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1920-85-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1920-79-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1920-242-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2528-243-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2964-550-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2964-228-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2996-37-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/2996-28-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/2996-125-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2996-36-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3800-187-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3800-88-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/3800-66-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3800-57-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/3800-716-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3800-91-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3800-63-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/3800-516-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4300-289-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4300-135-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4420-177-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4420-506-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4588-534-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4588-209-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4760-301-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4760-141-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4868-134-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4868-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4868-12-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4868-18-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4924-76-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4924-68-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/4924-74-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/4924-184-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5100-270-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5100-258-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5116-102-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5116-94-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/5116-107-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5160-723-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5160-290-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5284-726-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5284-302-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5388-341-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5484-727-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5484-342-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5576-728-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5576-343-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5780-603-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5780-510-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5916-738-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5916-525-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/6036-591-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/6036-535-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download