5db16cea0906fe645d75d1f05337a24d151ab31410915ee2e7660f33d6c07755

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
Size

5.5MB
MD5

615f7ee617d69126da85e195da659a08
SHA1

b84810ea7ab842ae8da3355954845873606e2547
SHA256

5db16cea0906fe645d75d1f05337a24d151ab31410915ee2e7660f33d6c07755
SHA512

8db3014990db0dd9b2363416ef5f0fba1c4e24bf2dcca89f4c25ea437e4a03b909011063f8f0e8a77663949b715fb02d05c4fd12ce8adb6826b5d216fd6bb94c
SSDEEP

49152:HEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1bn9tJEUxDG0BYYrLA50IHLGf6:TAI5pAdV9n9tbnR1VgBVm7fEkKK90

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
4548	alg.exe
640	DiagnosticsHub.StandardCollector.Service.exe
3720	fxssvc.exe
400	elevation_service.exe
1620	elevation_service.exe
2136	maintenanceservice.exe
1908	msdtc.exe
2252	OSE.EXE
1012	PerceptionSimulationService.exe
4408	perfhost.exe
2524	locator.exe
4988	SensorDataService.exe
1528	snmptrap.exe
5096	spectrum.exe
3032	ssh-agent.exe
4916	TieringEngineService.exe
5044	AgentService.exe
3208	vds.exe
4976	vssvc.exe
4356	wbengine.exe
4456	WmiApSrv.exe
1912	SearchIndexer.exe
5380	chrmstp.exe
5580	chrmstp.exe
5876	chrmstp.exe
5984	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\alg.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c88461a21ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\java.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaws.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exechrome.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a64136b8c0abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000a5f16b9c0abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000683697bbc0abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e5fd5dbbc0abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008f8848bbc0abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009de63eb9c0abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

chrome.exe2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exechrome.exe

pid	process
4296	chrome.exe
4296	chrome.exe
2988	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
2988	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
2988	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
2988	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
2988	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
2988	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
2988	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
2988	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
2988	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
2988	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
2988	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
2988	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
2988	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
2988	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
2988	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
2988	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
2988	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
2988	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
2988	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
2988	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
2988	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
2988	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
2988	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
2988	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
2988	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
2988	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
2988	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
2988	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
2988	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
2988	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
2988	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
2988	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
2988	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
2988	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
2988	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
3108	chrome.exe
3108	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4296 chrome.exe
4296 chrome.exe
4296 chrome.exe

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2332	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
Token: SeAuditPrivilege	3720	fxssvc.exe
Token: SeRestorePrivilege	4916	TieringEngineService.exe
Token: SeManageVolumePrivilege	4916	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5044	AgentService.exe
Token: SeBackupPrivilege	4976	vssvc.exe
Token: SeRestorePrivilege	4976	vssvc.exe
Token: SeAuditPrivilege	4976	vssvc.exe
Token: SeBackupPrivilege	4356	wbengine.exe
Token: SeRestorePrivilege	4356	wbengine.exe
Token: SeSecurityPrivilege	4356	wbengine.exe
Token: 33	1912	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1912	SearchIndexer.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

4296 chrome.exe
4296 chrome.exe
4296 chrome.exe
5876 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exechrome.exeSearchIndexer.exe

description	pid	process	target process
PID 2332 wrote to memory of 2988	2332	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
PID 2332 wrote to memory of 2988	2332	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
PID 2332 wrote to memory of 4296	2332	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe	chrome.exe
PID 2332 wrote to memory of 4296	2332	2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe	chrome.exe
PID 4296 wrote to memory of 524	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 524	4296	chrome.exe	chrome.exe
PID 1912 wrote to memory of 372	1912	SearchIndexer.exe	SearchProtocolHost.exe
PID 1912 wrote to memory of 372	1912	SearchIndexer.exe	SearchProtocolHost.exe
PID 1912 wrote to memory of 3468	1912	SearchIndexer.exe	SearchFilterHost.exe
PID 1912 wrote to memory of 3468	1912	SearchIndexer.exe	SearchFilterHost.exe
PID 4296 wrote to memory of 552	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 552	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 552	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 552	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 552	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 552	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 552	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 552	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 552	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 552	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 552	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 552	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 552	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 552	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 552	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 552	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 552	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 552	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 552	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 552	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 552	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 552	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 552	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 552	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 552	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 552	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 552	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 552	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 552	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 552	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 552	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 1224	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 1224	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2304	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2304	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2304	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2304	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2304	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2304	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2304	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2304	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2304	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2304	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2304	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2304	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2304	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2304	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2304	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2304	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2304	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2304	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2304	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2304	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2304	4296	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332

C:\Users\Admin\AppData\Local\Temp\2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-21_615f7ee617d69126da85e195da659a08_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2e0,0x2e4,0x2e8,0x2dc,0x2ec,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff7838ab58,0x7fff7838ab68,0x7fff7838ab78
3⤵
PID:524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1808 --field-trial-handle=1896,i,9287699023419208247,14773729869513505885,131072 /prefetch:2
3⤵
PID:552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1896,i,9287699023419208247,14773729869513505885,131072 /prefetch:8
3⤵
PID:1224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1896,i,9287699023419208247,14773729869513505885,131072 /prefetch:8
3⤵
PID:2304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3084 --field-trial-handle=1896,i,9287699023419208247,14773729869513505885,131072 /prefetch:1
3⤵
PID:3176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3120 --field-trial-handle=1896,i,9287699023419208247,14773729869513505885,131072 /prefetch:1
3⤵
PID:1580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4348 --field-trial-handle=1896,i,9287699023419208247,14773729869513505885,131072 /prefetch:1
3⤵
PID:5344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4524 --field-trial-handle=1896,i,9287699023419208247,14773729869513505885,131072 /prefetch:8
3⤵
PID:5540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4564 --field-trial-handle=1896,i,9287699023419208247,14773729869513505885,131072 /prefetch:8
3⤵
PID:5552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4892 --field-trial-handle=1896,i,9287699023419208247,14773729869513505885,131072 /prefetch:8
3⤵
PID:6088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 --field-trial-handle=1896,i,9287699023419208247,14773729869513505885,131072 /prefetch:8
3⤵
PID:5180

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5380

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5580

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5876

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x26c,0x298,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:5984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 --field-trial-handle=1896,i,9287699023419208247,14773729869513505885,131072 /prefetch:8
3⤵
PID:5596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1572 --field-trial-handle=1896,i,9287699023419208247,14773729869513505885,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3108

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4548

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:640

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4980

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3720

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:400

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1620

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2136

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1908

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2252

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1012

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4408

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2524

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4988

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1528

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5096

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1584

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3208

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4356

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4456

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:372

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f826a4c3c3a55454c22b2e3ec4a80316

SHA1
11570459956c3df5a1173fe6b38e30b4e63b5dac

SHA256
917fc5aabb7b156b73b75d5f0a3d629c8ee7b5c34ffd164ea0fb1d86fe4861a2

SHA512
6d33f144f321400bc418e4fbd1e0e8ef7230dd91c29f58bf4c530210bfea580d1721b378a1f952727246a31c5077b366f459c083196f73cb8a4bd63b6891c48f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
4be2ab0408b485ab3a4a31215c4af5d2

SHA1
ad210f0d44a033e1e5afaa5619a89fac260f5929

SHA256
8fbc9a1ff137b49748e34e22068fa582d07eb2c2f8f72a28ba0f4e29122d7627

SHA512
93acf71a177cd4c8a1d4a6d4cc5ec15d41a91212622e20e3ac486ec99d2fb45f62ffa8bc55c0c5feedacb5bfe09544d55e7797ab72234be092b2c1d203fac60a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
62d9edf9ee05c43e7553bcff6132fda8

SHA1
43ecae3ff369f8883207834f36d35f93f214a2a5

SHA256
89c9852f6da70d21865265c5673ecbac5187450db8b1fe9b758dcc8578329805

SHA512
07341f6c2f9e977e1cdd75d3711b4827273ac2817e67091ff55cbb4d0f909681f29f84f4e0282d8cbb8fbe7602ba8b770ffde252e92c8e684d82dc19816bb3a3

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
2ca695c814a71999e27f021d4090a863

SHA1
0ba7278a7816e20cf0f5a8e3544d64c6491105e9

SHA256
092b09d28050a72d45dc4badead427bbb5af5b5ddbc1986ec4c7c11e24bca5a9

SHA512
7704c89f54dfbae3ff3e474f23a74c1d02505005816b1f5bace57dc346767b42595d7f2463a0b42217c6609a00248d4aae32c076b23f5b9e6f9ceb11cbdfd767

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
2627fdb3364513c7814bfc449a6ab9a8

SHA1
c1a1c47bb92989fe61c8131d9100452ae9ecce32

SHA256
5c734f07864dc8294881f39e060cdf0130e81d6732a0f8513f09231de5dd7557

SHA512
42639e819371541b28b0c1589bfda27e40ab13f901b335196b2199e996ab1d9e4813dd0d781ea4272c70e3d5005113997134e66f3a637d543a0a97cb79871814

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
804b883709edda2b1e66dc27b4721339

SHA1
419017650ff4ea9ab6f3e2c3fa77fb1194dcabf6

SHA256
6df59a8a57e8215c656787749d271347c666e124b6518290cdafe2b767e3a2fc

SHA512
348442e68fb6d16a0afc0e07b3bcb269b94f35775aaab815f7365ec8fee46fe820af879b79a7201424db021ec5bb167b8a972774716cd79c10daaee4020573cc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
9619a5f85860177009888047f7288654

SHA1
3973f7a1a0674a62b5ab1780d702431ab28b03f3

SHA256
5dc589e2b2f32859ee26af966b358f30e22b7f16d190b0a6cfbb29b16aa1a108

SHA512
9f81be0f857e6e72b1e4fa29f614fc0f963289f7c044270d665f4afeeedc5c27d85d4880b4d2ae054ad9ba242c2869442eeb9252735f88c99cdd012ce0dc7ff8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
ec01e579d0f8a14a5239b5478c3593b2

SHA1
f63d52a3889326c90c440a48244d7f36f3595fd2

SHA256
dffde1c03f24ebb152f71596013a82a26181c9285f889219d2c1adb31c132476

SHA512
b4a62674b3211aa48345dbabf4361ae5599e65260f8fead07a7140943bf0418220d865ae3e9a52353db942db55ce056855edb921c4355074bc9c029a8d0a3c4c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
959f745c260d6afbbd6b55c4f49cba8a

SHA1
47d6c65dd2149568fc9532e89579ad425d3f4797

SHA256
1cb8912b3623f1ef1fdaa235d5ada78a1fb85c06c75e4d862a6cd13db2b45b91

SHA512
462b22ab949c55efdc5bfc339bd6a9f19bee8265b78d342b217bd732041a3216e7a78be95930ef36d73d4995fb0263719b64b92b317cdceda1b382646ceef8e8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
23089c7bfdeea3d380e1268bf8a5a6cc

SHA1
aac0f96342f776e0f0a9b52daef257e9403dcb2f

SHA256
ee08129022aabd08d61cec4989f4b3a610771d78db2d4f81c2a584a1070271c3

SHA512
75206fa53eb548f910fecf8ee3103b1190b114d29d9a9afa3303f568222677128167df767e434cc5dcfd0cad8a764f96a8b6165aea88005284a00b225f1917a1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
50a65ad09b470be22e51c9b349fbaacb

SHA1
ca626fe2836200aaa202c6aec14eea270ffa88fa

SHA256
2659e07a02dc56cd48937e19cde088031ce1f3fe3754d59c3192d9a2fc050779

SHA512
f9824427d03c17175553490e0744b9bc8d263401e5aae7ec5a61252c4659f3730d1636e2c22999b3f71c83cec84136c0089e00b7f7aa4a8f8540b6e0dd624dff

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
2bf29452d961e3d9541e50d91f07dce3

SHA1
82fee682fb04c4aa79ff79b1705c0ce0316e1fb4

SHA256
0f7230ca735143db492b8f105771d569669f86ae0ca578ce2190ebb4b4e8d434

SHA512
abf7de62fe31aa976607a47aeb23cf8fa931fad7a71480d95d8f11ba671bfc4df22cb502f74207bdd374f987a4f4d38b98988a256e51554108a700451709e05d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
6bc37daddefdc1e419b6a3ba77e3bab3

SHA1
96d2492b4e135d405bea22a0e34c8276d4964af6

SHA256
f105857b3e9744e6a9069ff44c70c9a02aabc2102c0345f6ffef262bdb415bb4

SHA512
f209e8efe7438368e91c821a4e7df745a6be790aeb72d071f407617ddcd0143cef537a3028cdd6c2752d38344c67c3c0be0b82760e057ba73e8552488dd6a416

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
5b3175470c3a1966bfd92f04cded6227

SHA1
dbff618d90c0f76b1d8ce64cb2d175041b27836e

SHA256
c06cc30e905307bbf4ab88e5c7f82e7e6dd077913cf1d72db478bc10bf8e8829

SHA512
5f1f61e6e66b5b3ba979585fd6095353250c31067581e41f77e972be17ac495cc96f8fb1cf7c50c0917d8cf8bc346f5ed8ef7aec66f327537d939280113ae091

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
cb22f5391eb4d6891d63d07bef4191d9

SHA1
38c36c28baf10716eb1a122e265d63d6bab0204b

SHA256
a52b60467051a5ddb7eded46cc0ffcdef1bae6d4ae6c95c37a89804da54eb164

SHA512
73a37a8e47b5a99d65b2e9e9e095cfdf7050e4cf3e6e0d6f393d7a62c1fc271ddec9d2293f921ebe74cafb73b76f84283359a8f9836b9edb4268addf27c41333

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
29e33fa1685dd563dd96965330cf4a9e

SHA1
084801b5231bb898fe3a618ed16b6db52e93115f

SHA256
3e2a6464f2e3a783016eff1a4d5c383d73bcc80ad21cba828802e67e127ee5ab

SHA512
71af284d9747ca7012c34bed1601fa99f15643246e5af2388207d864ba97b51a42c9f10e1e15bcf300b073fa9a2af26d5bd48f972ffe44fa81d6532ae60ffd97

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\20240521205158.pma

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a11c9e35a8a40dae1dadbaab454d1cca

SHA1
a92ca0b613cea399ffad70bed5734df1896ba495

SHA256
133227ae5345992542ad955b8232bc53450d189782c9bcf96ca21e04c8892de9

SHA512
0feb55e9f7d1bdcf7598fe65b8ed501a26b3363b5ef5b3e2daa6580b2608bbf0e04b34c5f41e3fcd190c2888debe848dc24764a4af2f49b72883d0e32278f60f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
b9673c5b3eb87798785aaa59cc8b0357

SHA1
c3f51b0f7e759a29d19f81201e597005bb8d3290

SHA256
84cd5a3b61efb330c36890f321bb468656eddd8ee2b093dc068c1d74033758ea

SHA512
3c235ea55b85d15fd490591e5cd7bd139787f718a6af1c65f1384ee5bc16ab0ee4c3d21ea70d65fc61ff8eb3f34287552a4f54a9218eee632c71778b1c8053a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
0cd429098412849541cb95afaf497de7

SHA1
34fcdc8c1708981ab8e69a9ccc50ab898d7f7df3

SHA256
d987cb1f82d1cfa20deebd5947b3ce1b9ae9ca25cb7df736727c507a3a17700a

SHA512
955809ff9150048d9b739222dfe4c1cc7b4f330cab2858b74ba1b8af8514f1d97268812c0ef81a3d926c9928fab845515a0fbd834a8dd1d0db39359001ce5f03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
fe22ad06c7f6d9685ae1229b47e04ad9

SHA1
0d831c57b97b2d5a3f5d8946da4aebcf2a744b51

SHA256
e158f0beafec2b4042268e200f992aa18f6efd0b6e4f0d80228a7725e1bb4806

SHA512
99436d808297e5137bc16eda38eddb1bd0bddcd4ab6233272669aa8ca39d9c370ab7a8b11ffacea3bf3fa103d359185905cea2d7edcb70b1e78ffdabba9a1ba3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
2ed3be1848a17a517be5adfe1eccd64b

SHA1
3b957898e8717aff3b251de0f36867e4282fff17

SHA256
241cfd4ea6c728f137f0a0f88cd5b972a43bb0eb7d0a5a416108c26c4cf05f7e

SHA512
22b047726866a8a161820a125c4e2cc621e79de50e8982df285363147b0c27829e074aff85ccea9070d981765abbedcbf22a53dee27ebaf474db2e32ad2f8d31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe577e67.TMP

Filesize
2KB

MD5
411ac782e18a3f8947b5bbdc13773829

SHA1
d9a709bb6b79ade9df4024e8fb6e36190070bc21

SHA256
0217b1195d87db614149675e331d00b581206641c58f6c7cd8cadb92e718f8cb

SHA512
03cff6f4f72f375b34a35df614de1c0837ec423b3b232e5b863a2d85ccb2f2bc025d1954ae0ba9d117930a84e7fd1b44bc82b488e5acd58370c36e9c24717d5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
ce6ea68ff7d719de0ae9004df9e8027d

SHA1
5f037b45bbd611e44e22ac61794e94735d6431b1

SHA256
270b28c908b7e1984d3bcce77f583a8a85a401d9c45c3eab835d1dc4e7528f66

SHA512
2c9b009977444708b80eefb6aa96ce37224e6ce24a40835040dcf594171b07340d7ab47aae14aa6ccfcabfc6e579f6cd36e7e10c34c80d785be3077b58220f2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\ca28eebd-cf46-4e76-a544-66bc79a900b4.tmp

Filesize
5KB

MD5
91dc37832a4668131c8dcd5e78971d95

SHA1
a36622336dc6efea999ef641b10f7ba22a7d04c4

SHA256
a25e50699f6b9c13c1b6c369dd8ffb561188950c803637a1ddc4f2c8cab5cd5c

SHA512
18929a0777b9f35a9d878b3be908944a97f7db3e023a8f8961245fa71ad64dedd115a61bd6d573d80fc0c086b27c6daaa6f635a1a575d3f4f46ee0a8ebb1d29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
259KB

MD5
a48c1ab00089f4fcc476b40e800307dc

SHA1
951b51f6c1ce768736a2871892172980d593fbf6

SHA256
5a415929cb6423912f1398e1303e370625112d49c76c175eba398810e07eadf0

SHA512
186967912d80f3a20ba4c5a8b3a0feb3a56175591b3a420fe0cdc87bc152125e33cb499967264c9c996d24d32eba4dec6c8234d7e2add14d63578a1cb4e0f93f

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
02d1322650ec06e115938e2962c193d7

SHA1
5b2bbf9ce4577528ab1ec9df88dfd3ddc838b1a9

SHA256
dbaaa359cbf97488d1ae7ea2485e50ef948ad071e543f4d809b81f5c28bad50e

SHA512
9dc3cf9712c460055413e70fc94c0a26af1914d05c8a5232e2cc32466e04af2f4c3ee821e751a7a32fa38cc5e82f4c26ecbf89c84ce33027add0ceaf30584192

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
0bd82e650abde7689e8daf3756abd837

SHA1
552e3ed2111bce5e30e3cbe0d0937a75b8dbeb06

SHA256
16e73ac2da63c5a8207c161ba783f66687337eb5603beb87fb93f8bc890c22d2

SHA512
44b09b113a47fbfac5ce22b590e55dafa283d6edfa0fc66eb605f6fe929ca9418d9b6cadc15290d1bf1aacb37bd29eda0895eb3cde27c48f0e72d11adf616425

Download Submit
C:\Users\Admin\AppData\Roaming\c88461a21ed82f9f.bin

Filesize
12KB

MD5
4cfda4d17f03d328d76236c2c56a4c7d

SHA1
5b348832cc7b2bd25dceda256b2df3170955d7a2

SHA256
91a28e328a03ac863c370a2ffb361251355b02ca98517ff3136e1f8432d9dba6

SHA512
16b29bcffaa4f11a809da4d33f3e180b4b3ce97997ac4465bab4f8ddf3bda9df454112699b38617453634cb36ac5e2533329e7570dd67f3e66d5c315862036af

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
00e157edd0ba0177d63022f28d1d33a7

SHA1
f925418c32b70deae673276ab8b3a227d99aff8d

SHA256
35a6278418c087da5c173573cbc1561e3384c20540eddf21eb5ca17955c0f951

SHA512
b3185b712bae30bdcbdf62b7942d042953a76d44e8f9f0225fb72f6eb70353986d4f1b419fb854b13eb272ee369adffdacc7ca464edba171f6ad1c2f86624425

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
5059e557bc3095398b70e788f85ba1a8

SHA1
85880aab2208317d719ce4692090d8161bf72997

SHA256
cd13a530f8cb70ba5a906adf3c14ae173c8b9891790d2162a76f1a8721afe29b

SHA512
b8d4e192776a1e2cc39f02f2cfb936afe1e717ec3df1a4f4c1c6ff29a90515f982be216004fb7e3b4bd90fc50eb561eaf7bcb49abf34b52c73977a3147ba85a0

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
d4dcaa43c2ace18015f3c4dc223e02fb

SHA1
c533467c3d69704275968874d303da716d02f004

SHA256
6acabbcefb0b8948ddd348a13722a89285d365b0a3d13db763e98f8da273dd15

SHA512
32c375f6c2e9e0d006e8e1f5696143bf4950b382384d8d15925f22d02fb41061c3fe5bf19b68ed1a043e673dd817d5f82144f81d4adc781d94841888e37ab720

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
42cbb3ff88e5c07bd27d3b8062fce49b

SHA1
dcc421e7e1845a34943e6681fd36780e682086e5

SHA256
48d75d9a917a3c5da99493956ef09cfbf59e62955bc07c96c8bbf71b76d8b404

SHA512
743747ef7b7f9c2523873c404d0f3fe4334556c7b51730fd67c40a5ba645c8abd00d9c98e62a8b7c993f72c52e22dcc2f22e72970a4e066d79a834b05011fffb

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
b2575dc3b6e3adf26069f088ca9c011e

SHA1
8416bee0e7a947aa5b579cd6ef6ac64d4d6ee358

SHA256
a16a0fea76727554577ae02cb0b5a6f161a33e2e091a736d3b53393170aaa0f0

SHA512
3f81c77263dfdaadef29c94d12a990e9b7cc42881214f66329a2b2d8aec9305584ae42ee85732ef242e524a58989864e8d653388cc1886f925ed36e6202da38d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
94e310844937ded9a4772891dabf9eed

SHA1
e04f6067d97e7c9d42dab9a035d84eb26755a638

SHA256
dccfe53f0a47d2c8120425c7a4c8e79321699be1eb0d4b9dbfc9b1d1b1459120

SHA512
cad336ee4fdabb1f0497dbb4db2a15344028b2855ee176a4991255d0088ae0db43aa3b03b8273ea6517a5727f3a751bcb2cd409c4084b977f672e7e018eeb643

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
c59c38239256d1a3cda5ad980cca0aee

SHA1
328b0cd8d7943da5a0cf38a8b554c7109bbcdc00

SHA256
7744c4ae8cad3eb6f747fd6439fafcacce4dd64a0fd6989624b181331ed9cd10

SHA512
0dbe2116434b3f014e3c56ad79478e9fe7c5de52b2def65e092d14340297c892d54759aea336ffa113f55c00c72c034961b98869033da257f8c34ac0008da994

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
ff887ca203b4fbab27926c0c8289516c

SHA1
20c9b380fb29aee10307a8a65ee3b3bfff9b9260

SHA256
9bba090d07f9c72a130fd413dd42a63a756771f8a74bb55fe90fe77d2ecb281e

SHA512
a19fc5e4fafd64cf3db486b2cce3b401040a8139120f31be467849605f949edd7182e0e2b2455b65989f30e2daecf6d426b82359ce2e0fcb8ea3978e2b45c62e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a26e74cebb601e8f0143ba57abf40f55

SHA1
c3f2e0810a3365009f7d8f3b212dd4ea615c2d6f

SHA256
e1dc6ee7ff33a17b605b43d132a50eac2f69e007ae3fb4cf07cd16f54ca2c052

SHA512
2f155febcb3246804b8cde4226dae4957af164a0b129d7693446640a77ddc0243f2f29464d0d2a51b43a6cdc2595217780652540d811106ea7fac6d5751a928a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d7a4bd126f68f15bbd510f0941747ac0

SHA1
e212d5f372944228a3eadef594731197428a4380

SHA256
e6fa462c4a885ce52f8a6d4e2870438789dcd4f602d196a2a520c220d454f857

SHA512
5b6fee36636ea465ee4cceee602887eceda1c1d1dd9046c2e8614f7ad8ce82910fae41da09521bcb2c6450bc03ac27d979609958f6a4c664068fdfd1fbea3e0b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
253b041625958de472442e606f03be0b

SHA1
100a344198a4c1578863af2f08054e443fb7739e

SHA256
25b7cb5fde8cdafc784d5ee20636f326b229d2e9e42761454c34e87094daa3db

SHA512
b4f21e3b097b3990ec90db2feb9cd027e768e6c3118548446c8ed0e090f4464179b9a513f3409c4d32114bb8c03efa7b8aa93b79409316e35fe203bc05362739

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
318b2f731dd9ac64a44d02b25393f6f8

SHA1
6eafe58055ce17d00a8cd406c4cd118f7899e693

SHA256
9040d4589a13f92ddabbf8afe440a163e1981f3cc7ccdf9e35c8e93a563472c0

SHA512
699cbff60f4f183e537cf97d08f2f51d87d35f54f4df9b5af24a15ee17c783dcdc5ead82296051aaeca9ff48c34fc9d84ab93627f62be24586c9cf0fbd513bd9

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
ee020d26289a99621814deafb204af16

SHA1
c9461c9907f26822aab9cb29a1fa92dabc346bfb

SHA256
78b19195d1efe542d7cf919c57dceb32267876d827cd8399996bacf8f44b7533

SHA512
823ef39ce679fc522eb87e84e2b03f929a635c894545248ca4600dc994304373708ce359a1a1843d68b7792395148d3fc66b2436bce3861237c1738b16e8ae25

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
7fc2c74b04f5e6e1c696f3092716dc3d

SHA1
4e99f4cf70177c26e1b0d23bbad57e27cf923b87

SHA256
4227d8efec5399d9a3708a17b958996e73b5792ec0c8b0112020bf3ba8476591

SHA512
db47f6214a300b2433b831402c42c24b20232492a98f2fb6e5e7d678d0aa64f0b0a7784cded6cbdf1499c10649204477926a6ffbc62a21362afaefee4ddf049a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
d7073f876128d52fc4f4fcf0603ad51a

SHA1
04dfbbf9c1b870b15a040f7e5624d68d24f0a2ee

SHA256
a25f84d801bd0af7a1882a53fe740862fc86c022a090190e88cd9c7a019b3908

SHA512
feafeb260c904126a962ee8a1614b596c6fb185287354113d6d28bcee1ff9da9134e470426a4980e30add94c151d8d65c5a4762b4bc2168e2edf95d41456cf8b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
fdc3b5a3a78a827fd63c34f5b0fddbdd

SHA1
b7ae57118daf85312b7ed1728650c2097384e54d

SHA256
bc4a497eb3e01b3efb844a16ffc91fe9fd0c4e52aefe94cbfe2acc6eb2305699

SHA512
bd3845756e86baa0deab045fda9d76464df992e4d6f961a4916dcc310ed744d071c8a13764593a3a454a8ab6b975c8860658d1b319ce46a872f224492c15ece6

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
b84e6dc8af35eefe4c4bb37e8144a526

SHA1
919c39b0ae921709182b1a6b8ffd8ae82969c8f9

SHA256
e157f55f6338afa94585d8d80b180851a406c041f0122f39577afd7867acb04a

SHA512
7106f517136684a96a6cdd88bdeac3b3767e2a30d1cee46274897c7e64d4d56206e48341094dbd0b17de1886d925aebe8cd6b5f0120e69b13423ee7ccb044fea

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7073ee2446ed070941cfe1f090626509

SHA1
b5c76a13d6986981c503bdb7e11a9642e76c450f

SHA256
3e57b9ff2de78fc0214a528a63c9e9da6ff0d5d54c95c7961f8e625a739c73df

SHA512
3692da5575b104eaa0f553e60f587dbaf67e6c1acc63e8212ec4d1460c07acca4f9d6e3034c61d6f3848e16557336c0c07684e87b518ff20d033fbd8d0caac98

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
4d858969f9b63ec4e90b337affb40980

SHA1
c5f517b47ddc66cf8fe32495fe14e425f905c252

SHA256
d228412aca7296096c2db6c01dfe1e83ca0db6a7fc2512468473c94bbc3e50f9

SHA512
df058b39862395921f86ab56ac87eec0ed1adb201b988f3bae0fb037e14a1c33d842b7fac2354f0daabe15cf41c5b6757ed9971dc8237e7a5e9377314c6b972f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e4d464a38c6f5cc05b0a4d3b6e426399

SHA1
decd46a558902ced59a562cbcb429809eaee7f35

SHA256
e7be4cac8eb120d2053126bb131fe61f4ba9e6b8aee7c7ef7a24730ddf3d8c19

SHA512
59aade74cdc326ee7e047013e827cbb038054688c70e4e2a3e086f3b784529e45fb53eda657ad5506b2bdd05b9b2c05477d2e010380ff18bf10b100569295f52

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
e167afb664cba2b81c104e174fa18244

SHA1
8cbae158bfbfffa6caa9706db7ad0f5b330e23e2

SHA256
58fc9fdb335408d13607eb5821692529053a89f4b848b78920737b02f7f9bd3a

SHA512
750324c92ff64335d796e087909477c9e99273b16687fbaeaa0001a979730e83375196672ee7901c589507a157739107021b96700354ba510d84f058418c6afd

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
59a17ea80c74fb171d30a6c16123460e

SHA1
216de6b2eac831895734ac923bff2fa91b8003bb

SHA256
5210a299b53f010a08f0827812c3a50307442229c0519d321f676a66f8059033

SHA512
229fb1a252397516d496ae66221176ec0f1065df3f18dbfcb5ea14ec8febb2c7346c60639fd1da4a6f6776ec9c5b2b7fbf74860d693bc52de5a0d698d74c4783

Download Submit
\??\pipe\crashpad_4296_GSZAAATCNXRCDJQZ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/400-68-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/400-74-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/400-76-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/400-423-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/640-54-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/640-50-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/640-44-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1012-309-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1528-313-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1620-114-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1620-82-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1620-715-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1620-88-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1908-115-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1912-322-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1912-717-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2136-104-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2136-92-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/2252-308-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2332-9-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2332-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2332-42-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2332-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2332-32-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2524-311-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2988-12-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2988-13-0x00000000009F0000-0x0000000000A50000-memory.dmp

Filesize
384KB

Download
memory/2988-21-0x00000000009F0000-0x0000000000A50000-memory.dmp

Filesize
384KB

Download
memory/2988-544-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3032-315-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3208-318-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3720-57-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3720-78-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3720-66-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3720-80-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3720-63-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4356-320-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4408-310-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4456-716-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4456-321-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4548-35-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4548-36-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/4548-24-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/4548-570-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4916-317-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4976-319-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4988-617-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4988-312-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5044-217-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5096-314-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5380-595-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5380-532-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5580-718-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5580-545-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5876-584-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5876-561-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5984-719-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5984-573-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download