1f1f1af58bbe59aad68e4a2135d09d1f5bfd7351372d39aa2dec34aa1279f48e

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
Size

3.2MB
MD5

540619294401946a3a0bb2efd1907028
SHA1

d5144f616b6578c929a1424bab4fbeeaa6a52498
SHA256

1f1f1af58bbe59aad68e4a2135d09d1f5bfd7351372d39aa2dec34aa1279f48e
SHA512

c545b6f6617db5db43837dd02d7ca7aed292cebfee19f8a7391b2ea0b53aea340d0b370422d8c03cc46c5e8ca5bab656ac2b3cd0bf8cf49d5b3796340654d45f
SSDEEP

49152:q5k1YCdptya507NUUWn043oHS3fTIYwVq1/xT3DDbw0TUqyNgDUYmvFur31yAipZ:kNhSMYw8ykU7dG1yfpVBlH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
1196	alg.exe
984	DiagnosticsHub.StandardCollector.Service.exe
3616	fxssvc.exe
3412	elevation_service.exe
2780	elevation_service.exe
1532	maintenanceservice.exe
3472	msdtc.exe
3636	OSE.EXE
3316	PerceptionSimulationService.exe
3696	perfhost.exe
1392	locator.exe
4476	SensorDataService.exe
2468	snmptrap.exe
2452	spectrum.exe
2644	ssh-agent.exe
336	TieringEngineService.exe
4616	AgentService.exe
1616	vds.exe
4248	vssvc.exe
4660	wbengine.exe
4536	WmiApSrv.exe
1452	SearchIndexer.exe
5768	chrmstp.exe
5936	chrmstp.exe
5956	chrmstp.exe
736	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exealg.exemsdtc.exe2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe

description	ioc	process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\93a04bccb4b1389a.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4adde06c4acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000074d12307c4acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000067e61707c4acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000050578a07c4acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ce16ec07c4acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006be43607c4acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a66d4007c4acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001672e306c4acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

chrome.exe2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exechrome.exe

pid	process
216	chrome.exe
216	chrome.exe
4704	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
4704	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
4704	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
4704	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
4704	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
4704	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
4704	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
4704	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
4704	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
4704	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
4704	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
4704	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
4704	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
4704	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
4704	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
4704	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
4704	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
4704	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
4704	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
4704	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
4704	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
4704	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
4704	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
4704	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
4704	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
4704	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
4704	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
4704	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
4704	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
4704	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
4704	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
4704	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
4704	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
4704	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
4704	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
4688	chrome.exe
4688	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

216 chrome.exe
216 chrome.exe
216 chrome.exe

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	548	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
Token: SeTakeOwnershipPrivilege	4704	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
Token: SeAuditPrivilege	3616	fxssvc.exe
Token: SeRestorePrivilege	336	TieringEngineService.exe
Token: SeManageVolumePrivilege	336	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4616	AgentService.exe
Token: SeBackupPrivilege	4248	vssvc.exe
Token: SeRestorePrivilege	4248	vssvc.exe
Token: SeAuditPrivilege	4248	vssvc.exe
Token: SeBackupPrivilege	4660	wbengine.exe
Token: SeRestorePrivilege	4660	wbengine.exe
Token: SeSecurityPrivilege	4660	wbengine.exe
Token: 33	1452	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe
Token: SeShutdownPrivilege	216	chrome.exe
Token: SeCreatePagefilePrivilege	216	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

216 chrome.exe
216 chrome.exe
216 chrome.exe
5956 chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exechrome.exeSearchIndexer.exe

description	pid	process	target process
PID 548 wrote to memory of 4704	548	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
PID 548 wrote to memory of 4704	548	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
PID 548 wrote to memory of 216	548	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe	chrome.exe
PID 548 wrote to memory of 216	548	2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe	chrome.exe
PID 216 wrote to memory of 556	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 556	216	chrome.exe	chrome.exe
PID 1452 wrote to memory of 1200	1452	SearchIndexer.exe	SearchProtocolHost.exe
PID 1452 wrote to memory of 1200	1452	SearchIndexer.exe	SearchProtocolHost.exe
PID 216 wrote to memory of 3868	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 3868	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 3868	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 3868	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 3868	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 3868	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 3868	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 3868	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 3868	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 3868	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 3868	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 3868	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 3868	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 3868	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 3868	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 3868	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 3868	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 3868	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 3868	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 3868	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 3868	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 3868	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 3868	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 3868	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 3868	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 3868	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 3868	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 3868	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 3868	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 3868	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 3868	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 1956	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 1956	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 4336	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 4336	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 4336	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 4336	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 4336	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 4336	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 4336	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 4336	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 4336	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 4336	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 4336	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 4336	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 4336	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 4336	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 4336	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 4336	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 4336	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 4336	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 4336	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 4336	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 4336	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 4336	216	chrome.exe	chrome.exe
PID 216 wrote to memory of 4336	216	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548

C:\Users\Admin\AppData\Local\Temp\2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-23_540619294401946a3a0bb2efd1907028_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=92.0.4515.131 --initial-client-data=0x2b8,0x2bc,0x2c0,0x28c,0x2c4,0x140221ee0,0x140221ef0,0x140221f00
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcca3cab58,0x7ffcca3cab68,0x7ffcca3cab78
3⤵
PID:556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1848 --field-trial-handle=1924,i,3883092404743697019,1899815470454120968,131072 /prefetch:2
3⤵
PID:3868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1924,i,3883092404743697019,1899815470454120968,131072 /prefetch:8
3⤵
PID:1956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2240 --field-trial-handle=1924,i,3883092404743697019,1899815470454120968,131072 /prefetch:8
3⤵
PID:4336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3016 --field-trial-handle=1924,i,3883092404743697019,1899815470454120968,131072 /prefetch:1
3⤵
PID:4904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3048 --field-trial-handle=1924,i,3883092404743697019,1899815470454120968,131072 /prefetch:1
3⤵
PID:876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4380 --field-trial-handle=1924,i,3883092404743697019,1899815470454120968,131072 /prefetch:1
3⤵
PID:5320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4412 --field-trial-handle=1924,i,3883092404743697019,1899815470454120968,131072 /prefetch:8
3⤵
PID:5328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4560 --field-trial-handle=1924,i,3883092404743697019,1899815470454120968,131072 /prefetch:8
3⤵
PID:5408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4756 --field-trial-handle=1924,i,3883092404743697019,1899815470454120968,131072 /prefetch:8
3⤵
PID:5500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4892 --field-trial-handle=1924,i,3883092404743697019,1899815470454120968,131072 /prefetch:8
3⤵
PID:5544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4500 --field-trial-handle=1924,i,3883092404743697019,1899815470454120968,131072 /prefetch:8
3⤵
PID:5576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4508 --field-trial-handle=1924,i,3883092404743697019,1899815470454120968,131072 /prefetch:8
3⤵
PID:5724

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5768

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5936

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5956

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4648 --field-trial-handle=1924,i,3883092404743697019,1899815470454120968,131072 /prefetch:8
3⤵
PID:2968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4292 --field-trial-handle=1924,i,3883092404743697019,1899815470454120968,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4688

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1196

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1668

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3616

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3412

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2780

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1532

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3472

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3636

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3316

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3696

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1392

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4476

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2468

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2452

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4876

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:336

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1616

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4660

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4536

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1200

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:6120

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
86434de9a677fbef334e2a19cef9655f

SHA1
343af6c450f428ec23ee321d8054d74df6c2c014

SHA256
2bcf7488681ed4cac46b0512fa85f162fb2e36d4f249d50274a0462e4aa05cee

SHA512
d3282ced53fb8e552f2f2d85528eb56f67874f406596ff627b1457c7f0b37452f6407f06327b22ff78c3c8765ab2331474f7123f6a17f2ac3d5faad28708fba1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.7MB

MD5
8562295dd0a1dfa9923deefd22f95bb4

SHA1
93d32c03de3815cb3855568f184fdb0ff7b65ade

SHA256
c80aac2a4f942b03cfa5f218bfaade6a3f7fe69ddd86606a51e18d7e41cb02ac

SHA512
f746f25e4fcb85204bf1512fb777dd7aaa337862035fa49b01c83d915e6f6a1efcaacde298b21b040fb7c4bf5a743b90d6f659396514e4b6bd89294ff5b44cfa

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
dd8d3da4f33390cf166f66ff0ed601e7

SHA1
840a8d5209a3c74e9d8f3542e31b4ae85ce10baf

SHA256
a598b125c75881f7f9f3321ce0ccffc286448c119f1f95c89ff9c2cc8528b37a

SHA512
a53313adb63062112daa913fa77b62d13de83183d308e38b71f6d0e0c92afe348c089a79a956c59d9186adc7e813cda90039e232d84ae4628b67f6809ef19d29

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
91c40ddb55bf433b2151077f5130fbf1

SHA1
9f3de81b2471d82773659b9d4957b2a77903360f

SHA256
0b05cabab7aea1ab239a830ae18da7ba2ffbb5175d958982a9d6de6f06661f71

SHA512
772a6d7dc36b0a12e1b51254597a93e8ead1e9249d6530f395227aac64eb7d2d10836d5160186e1a0cf3695488e6b608b28a27d179a5c7b89f094b4595a7bef2

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
a2b5792afbc18436ff0917cced0d88b4

SHA1
f1c0e55cd6fef103924f6aded5a2b289215d80c5

SHA256
44cae331d868a19b617a10ffe1d7191f8c89e599782b6e167c7868010d7f24b1

SHA512
1c7527b7c6a0e98213aff992c8ab7cd41a8be666bccbd13c934d737368061af3f3f2d581b8176424e1c7ef7702b580586ad729c308843fcd413a165e3217f13a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.4MB

MD5
d6f07d8b1fa4d6738875d435a63bc5a2

SHA1
5f8a243e1756bc6e05aa54b2d5098ae92b857fb0

SHA256
fa7e22b549065cba47b60dd3461a14890355415b61ada6260a4be08f180b754f

SHA512
d1a8ecab4f9eb558475b9b31505b60826f4bd694832fd19bf69103f4af902f40a70a2ba102c49c4dc8d069a979588b9bf083948e1323a6f9b061f505594b0928

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.7MB

MD5
03a86c49e95d660df3b4b752c4f93b08

SHA1
8adeb7771cbe80ed232492b9ba8ebef2048c4136

SHA256
1d61321c7385c8761ee71b8867554f5ea18726f0635321d3b6a684dc1022a8ac

SHA512
d1611f67561483c67d98de79cdc15a90a597ad6525849a0781f78727f2ba8ba2b0509cd747a8e90b266e54937642d65120028e0186c713c3cfa51d4531bec3bd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
f5c8216451a94e82a0c88a4be799bf98

SHA1
7337e012f0c7f7c24ddd66a9e8fb791045856122

SHA256
00562fb088ca5e70608610d92d5c1ead7a153b66896cdb0ec00b254285fbdba3

SHA512
7dc1b7f1a544d6274ce55ed47005a1afb62f4f88d73bc938bd74bb0c004c9336d4aa612243cc12828a804e6dcc197bc5b8d53cd3f1f428f4e713db522be86c87

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.8MB

MD5
5ff0ce714ba52338f1926272bffa1078

SHA1
9be0db267ca7456fec49709d075cbd7fd171bee9

SHA256
1b21445fde02dd0898d51dcffa4445b55fa68096c39fd204e50e3272181e08a2

SHA512
526c50358d1c72a1a4ed34586880769559a2b9561fccd761057b23afe078dbad217e0287c942749db19a2582d7f7ac243dcb174721be798325ebf6c9aab1337a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
0f3d51bd5c0b6da0be4969e9871700c6

SHA1
233205f47f9ffa48d4eb7de38b575e9f66ac9729

SHA256
13248001a824d712055900dcd7617aaccbe2505ac90f5d02f54792c363436c81

SHA512
b3f9a961b11d0748037893738ed6b63820b545ced02dac4a7477439c7ff730ead5a54ea5354f11135114291ba447962ebebe755d864a4a06b4e2dad1e89bcd89

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
8465a40e7abceba664ca0accbb6f70fa

SHA1
224a1ab4c1c590f09754674a50a217fee00f8fa0

SHA256
9e376403412c3418054e2c295d85b7eaef1dc3bd7c5fc75a19c35c9b4f68cc0d

SHA512
bf03c82c2cb5b71d2b4bc4e889e447c967bf828ebf918fd155bcb23c9620986448eff995c78eb8267f3c03cff9664db8792b4b243b01f902bd9e30f2402f9a67

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
57b6a7921d9234abda05c18b120811b4

SHA1
9c23d42e47d34a87196eb3a275aab691bf3f457e

SHA256
c51ffd62d49ccebdc240a5363bd65f81e10dd196d6e145bc1a645f26aa19faf3

SHA512
9964f9ad8f7ddddc0bfa4ed0cc20444a2e33347870b463fb9a9cad7134dce9474027bd012bdd8926c9e555771529c9a4f6fb5995d7086b8360c7401c0fb6634f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
174610240d4d5bd67020c3986b392407

SHA1
956c8de7f8c04390a23f4f61580a38a3347a2df8

SHA256
f3f1c476be0b865b8ef782fb3ab5464bba87ef707c815a3a2fc4e142c1c1dda5

SHA512
fff7eba163980dbb58440800dcecd437708ff9bf1324adbe188507852173d9d2003380d08fd5cfe44049b72347e99759f4988482e1f9dc71f7a0d239eab53120

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
9c82dd1b1528ea5c9c9552185a589661

SHA1
d353c9a3729adc4db3529b5a930e80c319a6707e

SHA256
6f98d193ec2b2510043e4385f345ccf60361f975e7c3bb76487063d3c43c1044

SHA512
ac3d3d11a09bbb75c282d0d037058308d2c72c6eb7e1642e50ff0850b5166188f364528b8c16c1d9f4193c22c3ab75f6bd150c97b337feac61054bfb5137c4ef

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
40acf858721df474fdb6f7b7afaa87dc

SHA1
8248b43784ce51483488c70ce2b81f3899cfc41d

SHA256
626fd55ebcee5e5a199cf7b6ea5a85ddcd15f400cc496708ecdf3e21b44a9327

SHA512
4fc1ab1ebd8fc4385dbec457e18dc44a0e0c1c0e733d7ab978d309656768054ece32a9c6cf1e699e8477a7794728a64d58460e05c16cf99931333829d2439530

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\3342af1b-7b46-4d33-bed4-519ed12fc8b4.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
75fd75829b32067e51a8dc41fcf90ee5

SHA1
e5c2529354d3a9a3b08f9cedf5bad01d08d9999d

SHA256
b93c7dfb731b850edcc0bf661843cbb293f28b4403bb7af6e9f3c00edf1907b0

SHA512
97bafd5d254c9cba942718f29de78020e0f0b306af981815017e891a7b983d1e756bdbfaf798a1d86c4c08ccd04868c232bfef7af9c91e46de79bf92fe67c898

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
2cd879c3b1b25f881f4b7ab71b67a095

SHA1
e8c477526bb5bdddd659fdd44606060d83e703ad

SHA256
d15ec0b42a1305238584533da0ddd5ec2959a76896cabc74599185af8af9e92a

SHA512
95c25065ecb23b375e233d554beb9c5fb61d877f6b5586155d5b5931d270cedfd4508a8fde3dfee5073af2215b256d7cffde9f77923d41909d4168d9bc61123a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
590655ef45d2071830dd2ed0bfdb5e80

SHA1
2fb3afcee15fdf426285034cd052acb9354ac66a

SHA256
afe53bc5285377866ba2a423b431068db548493d4c8dc7299009e5fc2ee18de9

SHA512
1f14156b91119dc537ccd0f655d75b861d7f5b7c1eed91e763d4843b549b5ce5405045e710ec5c35c5d14a509a9be592d2ba06d65888a9dd06f4790fd9b94f34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
b14b0c8131f55feba5c6377a1dbdb9e9

SHA1
8d75f5c7857d079ad44bc7c469bb3f7c32087c86

SHA256
3936a3557ad713dec25318d59d91a0f950947be963d4c82e9ae23f4e5e1d62a9

SHA512
c60d1e42af8784cb770a3b0f979df37ace52e0a2cdc4ad5eb4674597580b6dc39d3cf59c36f1a614d549e77baf49388a6fe6abf083f0ac29d80bf20a2421627e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
2646945233cb6481b11b6a05f5a10118

SHA1
3444240f97832d7cc71ad60d898c4bb4e4dab691

SHA256
45d30b48a4dd105ee08fb93761e8e348f92f1248a26134293914816fb63e5f10

SHA512
5a124df83801eed5d48335defcb46681e6a9b4bde56635a7c051038a52315be8ade3dc2fe6aceb79486ed9a25287675747aaee520e825cb8ac5ba2715c73f0c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe578d8a.TMP
Filesize
2KB

MD5
1f497c78bb1cefe5fae1f2d3e5c467dc

SHA1
12ec3f79d43fc239252d3812f8f0c2edc492bc51

SHA256
e7fedf1f3f9f65c94434b56a0a6b0be4a9773cb80c1fe09b6391adaec9849dbc

SHA512
f7ce6b59abe22c099ba4ded438dae24ad228fad07f742fe053c580f2c052a91d5af99bc7616681f0f377f8b5bbbe7ae2defab99203bd1af816724a1e63b62e92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
189a352d90d5d20f8a8a1c39e5492744

SHA1
8ee6da017e0c48c6dfab356ae7375ed2aee5dd01

SHA256
b04177ee8112dba1048c87bf1ffef1a9023ca4303efb734779a7258657ddfd0e

SHA512
45bbe331b47fd198aa21d30d1a008137e5845bdce0316c6c7b2e18437e792d653e9d53cdf76cd53cc83b5ff3df2f0de62510de52c7430cf9b1f42b468c888670

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
274bedd5b7349bb98fb724aa6dbaa2c6

SHA1
5c129c55f0eaf58849a02c6a337b4058a1a9e4f8

SHA256
b7c808193625030a9bb301c2eb0fd76eb145134e68c2007ba7ad9d9058785709

SHA512
066af12a0f72bcf20d501a4c1554cfc79fbb2c5130d926921ed8c2ed6003fc4fb94432665d2a2e02438460628de20bbc1be6848521afad538c02212910c3ea01

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
ccb9a92c4818bec42f2aab8e6954fd72

SHA1
e8b1e9f6fc4536c529c6fa1eaa1928da5bad9570

SHA256
810eb4b00e316e1b599c982bd95319adb49f988cb4186f87d3e229355e71578e

SHA512
8e3b7923a5ee3a93d21d225de86006660adcc011a05667342ec2169931d6358798531456f2345624855ecf614d2f05a35a0c7673719e824907b0fcc1b371ed2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
f1a3ed9576a2cf8720701f1234f7a3bc

SHA1
f9700d5a9e83ec62a8c32b1c3fa9baee7b845801

SHA256
c88236b321c6967b965e7cbde0e9c09a383b543791925c7ae421437b8c368f30

SHA512
09881e2be1b96f5b9709c3032879e8ba4f3854273a61a628297902f2ba54aea13e90a9559700561ea9611c1f0544a59306d7561b986a65e8f05d85c411b79722

Download Submit
C:\Users\Admin\AppData\Roaming\93a04bccb4b1389a.bin
Filesize
12KB

MD5
a1ca2f6a96016c2330298dc013b3dc88

SHA1
41bf529979b940b4a4fc37a67fb242ea1e731bd7

SHA256
ec2723c7f8f88cb50aaa970c0a44926e46849812084f200361cfb8004183f719

SHA512
0cc0b1f810a5784b6bfbad8fcce085b66cba52814f32c9872795ac4f3087bd6380c92db75e051d508c690209cd4e3f8ec855f2c8f487f6d71db97db72676d9e8

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.4MB

MD5
edb8fc8b0f03daa17449e0bf3b0b7193

SHA1
626b886632cbb6cc9a122ae1acdea31343c6daf5

SHA256
c4cb80348773f6de1da1bc2ec041f799b068526c863b00fd10dcbcd22e41a975

SHA512
87a07c199839381944c783d455059ab625c0028e0142f6e34426cd15e72e87bb227a32664701c67c662960acf6fdd4748fb3210e4f8fc2044cc5a9195460be3a

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
a8c1d9901cfe455a902f155a0d025dbb

SHA1
6c828535b3833d44cff596aa00c0aed98c0119ed

SHA256
9ebe92d08f45f00fe4f28f0cb98039187d2a2ac61b50dc9fb02a5b0fb493d408

SHA512
937fc79fb815a12f13c03e337d88ddc20a6f79f548a345fff26f190f30481df255ee00c3dc79afdd531e5f94288075499d34a1d3c8cced336d45eedcd16a379e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
f99cbfb7287953957821b457751cfcc8

SHA1
24175eba2470ec88b53e83afa9e80f6b539abcfd

SHA256
200ecaff0c0e7ecbf9d1c4a6be3cc9ccb949761f2d8bf8ac2bb676f10f2dcdcf

SHA512
371e1dcfd8964d8b961cc991b73cdd929bcceda6cae415ca41e291c1e7019ad3584f5daf90c5fbec67128fbba417707296c94a28c058e0f587ef4a2044d57631

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
72f87f7c9166a2ec8718c51f651579e8

SHA1
3b4874e0a045573fcbe44fdeb19dc19c86889e1b

SHA256
d999bf24f9111d0ebedf1f43cf0fe6a9ddbcef91316af0dbf121ce3cb173853e

SHA512
0273993cebaca955d449ef262e26c7d92e8a7742e4bb3dae4b34ed0baf5264c62132e3656e13cd1bcb6e26bc93fa2fcba0ef156372a7436b065d7384912d4d39

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
45df42ef85d5183f196cc9f495f67a1b

SHA1
d38670ee3cd472ef463b5c0f493db5edad2b9508

SHA256
c1542425855a964dd98178a46223c7e9b05c5d9573e11359f0e12ee2afa14b89

SHA512
3a8f746504717b6b6a07ec16d9ea966e2ef6468b561bcf86036f094641ab15d8ade5cadffa02c7ef65522be5d371670723aebb507d69841800e3fc487001d3ef

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
0dc0a3a215663331249eccd3ff83b0b1

SHA1
6bb2cab34239ccac9866f009a5a9b91bff51803c

SHA256
5fe3999217d24791d71101367ca68ddee451446f649fd0ac6e8e4cf9e5653227

SHA512
b5e92d51b6f7841037f43c1c55b4d81015e45531983f689e73ee98f22021ccb760cd705b6ea0b16060741a1cbe77934cb1b36157e57d6a4e19a801838f45437d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.5MB

MD5
3f9b486c06cdfd1129696dfec54ac067

SHA1
36724092d9715022b6c162a5be7151c03e13a705

SHA256
0b70edf8f0f4cea4194577327a6afb6dae701d6039b7e85fa10c9419ed7f8ddc

SHA512
054d1026c60c30207de7837a26617d792a601576dcdaed8d4046bb4e836de098b808d7d14cc565e8304a820a026a57e3a5f4a402c58cfc468dc6c99e9dad6730

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
2e83f5e89f6ab2f6cc8be94003e36fd6

SHA1
e1115ccb9531ec48e6e231b025674de7bba21a6a

SHA256
d02a6db05932de071035c87c2e7e68cddab4aff90df494ea6b68f704b9b8e578

SHA512
d2e2bca6693d8197b80322c23202af9a56e57d1f6a8b9aca3e78bc2b349335cc2537973211dcb16f47b37a40f0ae194c75f9faaed970106b20a58f438fd79dc5

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
5e90845a64e0f9a474d05cafb9bfe4d6

SHA1
5abe7401bb4222746fec434a1af3e1d9fc2be9b8

SHA256
1f83dd58a6532637559482eb7f08c316d518ffefb67ed79fa378236ea63f7690

SHA512
bba5704088b3156790d6d6c4090db73db98ab409db0fb967ba3e1ffc2e5d271d0348fc732278127d179a1c63786f10c1f6e70cb61a7b0d3dd4853385c0e578d9

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
9ad8f235666f2038ada9c618e123ff4f

SHA1
7cc930386abfe4ee8a3071225b6e12ef7e426df8

SHA256
eebfedb23b1f5b30bd07171571292246ad04a18531acdb0959d178e6074ea291

SHA512
bd02fac726a0e89179c6bde874c20c522ba0998aa6fd1ca7a33cf0cd91d06b8745f6aeea2f3368c7d52611222af64ffb612cf4cb304031616c08b7fb0a8e4281

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.7MB

MD5
039626a09d430c03891f85f880ada129

SHA1
ba12115011ebd37347684186235294e41aee178a

SHA256
82ce3b807a12d2dd2e50a0c67b8459dbc0a47b3394355671ab942df3f3910a35

SHA512
f6c9289a9e46e0475e3bf4c52bb56615b390524c13e52f5d5258b0f1d68542c149cade0e01a69ba883b3b42a08f3dc5014bf089ef85b5f62364026e48f8ddbdb

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
3437f684e98d356fec71a4f5544e2dbd

SHA1
f2f82d1cb7a6e08c21feffa20977aaf2f4990175

SHA256
863b2c71a952254df13fd9479405c05d455aa95e686aff4756e312aa06c960e1

SHA512
dc0a763b088ab5cb4664c9fa41d69b95ca4bedf7710154fd74a4275b606e8b279df9cfac5b49889cc4079a3f0c0c728627add260240c68ae0e60c9da29f6fa3e

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
f5922316c34c4269860db31dd3fda3b2

SHA1
7ded753c98972341658806ac7ecf4a881be10136

SHA256
8ce1ae3df232d9f44c32dae352c12b3176e4628e04262a645d8f5815e220c8b8

SHA512
3e9b1d6bf78422b0fc600d268e3f21521caae9a2ce00d968cbda7a5e00b1726a1dd8302562df0a8cbac06493a2894067bde0bbf35d91efc53b7d884ebbfc5094

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
b92946f06d47cbe9384983994ab9fcac

SHA1
2c3b3fb431d4510ca2ca124805cce52971acd160

SHA256
abb7e20ad0c3c38038a23ea9434abffcff58b611b4eaedd74b785b56d9283eb1

SHA512
b52322ec8e4c3474ebfa73a89b59acbb7c1d8247ca56204b821ce2f0305797f65a7f213e0dc37c9a534e8a58d41239eb63c1b8b184f02b9216c62b89392a0392

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.4MB

MD5
fcb5d80c870af0fa236a9a551c4075ce

SHA1
f10d1157bfe4c39528834db13568c2610058e7ae

SHA256
115b651285dc4ab9a19f3203c5c7fd9c6190de55f52c76dfcd84dd8bb19e0cd7

SHA512
aff55de565e09b6d1c889e31d1987f542eaa2f6ea6d06ce9243f20268aa6b024f9ab3b01cefdd988593446a3ee507c4cb0573315e2a2c5615ee72422da8e6cf6

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
3609548fe3593054ac88618933ebdcd1

SHA1
1e93332ff550c713a06bc19b73d75233dc559805

SHA256
0587ded52a455c580f805399df49149ee8518648ef7c9373860c2ab81989effd

SHA512
69b426f8830ba30a6c06e83d5d94e6428e1ac713df0a0806eed727c2adfd76d5c3f90b25b8d92b6ced4414dfa599ed51e1102da37eb48a748c1628083efabb8d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.6MB

MD5
be50235ab9ea3f0eddb306945ace12ff

SHA1
c77fb722c3b1fac2134220c82cf43ce7a22bbfc5

SHA256
fa55476a103ee4b62647d952dadf31fd4168031100686bd14caa81645c2f8a8a

SHA512
328b4ba28ef3ef1d69c53319d27901e2961a0a70a1885b18676939429dd954c42dc3a792674577994e29134c940fbccf57e35f571616f7c5879aacc692ca1428

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
a9a5a7d2b0c330a9efcf724701c2133d

SHA1
901f8be7f080fcd66fe977967a2029e71f36e031

SHA256
7891226291b9c324294c031f5ace6c880fadc893b41e00c59ce214577a85cb8e

SHA512
ec598ce83081a75ab1a92a1b016925a84ac4c59270579e7c32035c67467038544f2a43346c845c171f882b49df26842b19117428b1f24f231622eba79c5da337

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
b2c359ffd4bf582baf62f6e8adf87a6e

SHA1
8e9a26cf9202a00b2f38b9cf92a2cc0fa2e76b79

SHA256
ee8fad0e09119ff89b6f13fc18df351e81b41199adfc10acbfeccbbb88e02a9d

SHA512
1b1cddd7353d0e9300f1c661feda7f8d1a71e6d90279cb72c3adb51a7bce9c64e2fc87777926db50a8d41cc945445821d1b3cc1628f7446a7c03e64bcf8aff92

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
d1b68c747c51c0581f243e0efedb7fd9

SHA1
68871e05193b0ed635114cd030564a6958b5bac8

SHA256
3a20188c59052ff1e1cb66fed4f44988c9654dd69a4f1c272dc6bb6d4e1b62f3

SHA512
6f96488d6c54789c3cb355c9f023c120aef2c245896b73f5a6d522708a488a59b5f7237d651d26e45543f65d211d82f141e605c031e8765772f919a7566b2f40

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.7MB

MD5
d4515122b8e2ef81dc0d298a697fcca7

SHA1
0b919d46817d4a5b7c8b02485b32686e99b238d3

SHA256
ef5f1102dacd0ec48430cec2c5ac1c6920b6e3b887fc67c45ffe72a4e5050923

SHA512
23bf9b9ce0718e947d545cf64950c7dfdf4467eef4c9652953ac3de775eb0de337fba0f3d941e76af6c9c109340ee2e81c1507c30f0dc2becf095cb854322b31

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.5MB

MD5
58ec4a3788dd65cc5645221d27e4a551

SHA1
6515571ec0d7e62013ef179b8f228b6e207da0a0

SHA256
2e405996a978717383c2d865e2e966e1734b687bdc432310e40aa8b986baa97f

SHA512
281cd35b6a69194d2151bb0b766de86a609bf7675492c780ec851937afb440469661cfba2bcfea74d45cb3c354e34612e41012808681470ebcb46fc817fc1675

Download Submit
\??\pipe\crashpad_216_BQIPEUHCCINKJTAB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/336-322-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/548-8-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/548-6-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/548-27-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/548-0-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/548-21-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/736-810-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/736-584-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/984-50-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/984-44-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/984-310-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1196-639-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1196-25-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1196-38-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1196-30-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1392-317-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1452-327-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1452-646-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1532-99-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1532-87-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1616-323-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2452-320-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2468-319-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2644-321-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2780-83-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2780-644-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2780-311-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2780-77-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3316-315-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3412-312-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3412-70-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3412-414-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3412-64-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3472-313-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3616-75-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3616-73-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3616-60-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3616-54-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3636-314-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3696-316-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4248-324-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4476-318-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4476-548-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4536-645-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4536-326-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4616-217-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4660-325-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4704-11-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4704-631-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/4704-20-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/4704-17-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/5768-535-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5768-607-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5936-550-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5936-647-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5956-575-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5956-596-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download