da1d27d93bcdaa8d83a09560cf97b5bbce67207a0615e37d3aa4c399aee90649

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
Size

5.5MB
MD5

1cf1b8938bf9b07f55924ad831ba41ff
SHA1

58d12e01bfd08c225e4d2339f2e3a57f3bf0e238
SHA256

da1d27d93bcdaa8d83a09560cf97b5bbce67207a0615e37d3aa4c399aee90649
SHA512

67b7f2ba743cbc31ad683d5598ac5c7d096c3a707813af7f65d660e070b77caf27bec3778be78f4cd411584aa7f0af661c6d591774e428ec0b286a5cf2b60918
SSDEEP

49152:XEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGf/:DAI5pAdVJn9tbnR1VgBVm569CEN6rV

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2008	alg.exe
636	DiagnosticsHub.StandardCollector.Service.exe
2664	fxssvc.exe
1836	elevation_service.exe
2344	elevation_service.exe
4904	maintenanceservice.exe
3956	msdtc.exe
5104	OSE.EXE
1356	PerceptionSimulationService.exe
5036	perfhost.exe
4908	locator.exe
4028	SensorDataService.exe
4600	snmptrap.exe
1984	spectrum.exe
432	ssh-agent.exe
4088	TieringEngineService.exe
752	AgentService.exe
4540	vds.exe
4276	vssvc.exe
3144	wbengine.exe
2952	WmiApSrv.exe
5228	SearchIndexer.exe
5584	chrmstp.exe
6156	chrmstp.exe
6264	chrmstp.exe
6328	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b9695acfc3a5208d.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{125326D0-F6C3-409C-BC6D-35A6D8D3AF5D}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaws.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007046842e01b2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008abd992e01b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003345a32e01b2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001cf9752e01b2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000047827f2e01b2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
1696	chrome.exe
1696	chrome.exe
764	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
764	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
764	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
764	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
764	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
764	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
764	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
764	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
764	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
764	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
764	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
764	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
764	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
764	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
764	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
764	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
764	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
764	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
764	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
764	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
764	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
764	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
764	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
764	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
764	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
764	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
764	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
764	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
764	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
764	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
764	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
764	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
764	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
764	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
764	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
6848	chrome.exe
6848	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3420	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
Token: SeTakeOwnershipPrivilege	764	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
Token: SeAuditPrivilege	2664	fxssvc.exe
Token: SeRestorePrivilege	4088	TieringEngineService.exe
Token: SeManageVolumePrivilege	4088	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	752	AgentService.exe
Token: SeBackupPrivilege	4276	vssvc.exe
Token: SeRestorePrivilege	4276	vssvc.exe
Token: SeAuditPrivilege	4276	vssvc.exe
Token: SeBackupPrivilege	3144	wbengine.exe
Token: SeRestorePrivilege	3144	wbengine.exe
Token: SeSecurityPrivilege	3144	wbengine.exe
Token: 33	5228	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5228	SearchIndexer.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe
Token: SeShutdownPrivilege	1696	chrome.exe
Token: SeCreatePagefilePrivilege	1696	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
6264	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 764	3420	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe	92
PID 3420 wrote to memory of 764	3420	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe	92
PID 3420 wrote to memory of 1696	3420	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe	94
PID 3420 wrote to memory of 1696	3420	2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe	94
PID 1696 wrote to memory of 924	1696	chrome.exe	95
PID 1696 wrote to memory of 924	1696	chrome.exe	95
PID 5228 wrote to memory of 5908	5228	SearchIndexer.exe	120
PID 5228 wrote to memory of 5908	5228	SearchIndexer.exe	120
PID 5228 wrote to memory of 5932	5228	SearchIndexer.exe	121
PID 5228 wrote to memory of 5932	5228	SearchIndexer.exe	121
PID 1696 wrote to memory of 5196	1696	chrome.exe	123
PID 1696 wrote to memory of 5196	1696	chrome.exe	123
PID 1696 wrote to memory of 5196	1696	chrome.exe	123
PID 1696 wrote to memory of 5196	1696	chrome.exe	123
PID 1696 wrote to memory of 5196	1696	chrome.exe	123
PID 1696 wrote to memory of 5196	1696	chrome.exe	123
PID 1696 wrote to memory of 5196	1696	chrome.exe	123
PID 1696 wrote to memory of 5196	1696	chrome.exe	123
PID 1696 wrote to memory of 5196	1696	chrome.exe	123
PID 1696 wrote to memory of 5196	1696	chrome.exe	123
PID 1696 wrote to memory of 5196	1696	chrome.exe	123
PID 1696 wrote to memory of 5196	1696	chrome.exe	123
PID 1696 wrote to memory of 5196	1696	chrome.exe	123
PID 1696 wrote to memory of 5196	1696	chrome.exe	123
PID 1696 wrote to memory of 5196	1696	chrome.exe	123
PID 1696 wrote to memory of 5196	1696	chrome.exe	123
PID 1696 wrote to memory of 5196	1696	chrome.exe	123
PID 1696 wrote to memory of 5196	1696	chrome.exe	123
PID 1696 wrote to memory of 5196	1696	chrome.exe	123
PID 1696 wrote to memory of 5196	1696	chrome.exe	123
PID 1696 wrote to memory of 5196	1696	chrome.exe	123
PID 1696 wrote to memory of 5196	1696	chrome.exe	123
PID 1696 wrote to memory of 5196	1696	chrome.exe	123
PID 1696 wrote to memory of 5196	1696	chrome.exe	123
PID 1696 wrote to memory of 5196	1696	chrome.exe	123
PID 1696 wrote to memory of 5196	1696	chrome.exe	123
PID 1696 wrote to memory of 5196	1696	chrome.exe	123
PID 1696 wrote to memory of 5196	1696	chrome.exe	123
PID 1696 wrote to memory of 5196	1696	chrome.exe	123
PID 1696 wrote to memory of 5196	1696	chrome.exe	123
PID 1696 wrote to memory of 5196	1696	chrome.exe	123
PID 1696 wrote to memory of 5380	1696	chrome.exe	124
PID 1696 wrote to memory of 5380	1696	chrome.exe	124
PID 1696 wrote to memory of 5412	1696	chrome.exe	125
PID 1696 wrote to memory of 5412	1696	chrome.exe	125
PID 1696 wrote to memory of 5412	1696	chrome.exe	125
PID 1696 wrote to memory of 5412	1696	chrome.exe	125
PID 1696 wrote to memory of 5412	1696	chrome.exe	125
PID 1696 wrote to memory of 5412	1696	chrome.exe	125
PID 1696 wrote to memory of 5412	1696	chrome.exe	125
PID 1696 wrote to memory of 5412	1696	chrome.exe	125
PID 1696 wrote to memory of 5412	1696	chrome.exe	125
PID 1696 wrote to memory of 5412	1696	chrome.exe	125
PID 1696 wrote to memory of 5412	1696	chrome.exe	125
PID 1696 wrote to memory of 5412	1696	chrome.exe	125
PID 1696 wrote to memory of 5412	1696	chrome.exe	125
PID 1696 wrote to memory of 5412	1696	chrome.exe	125
PID 1696 wrote to memory of 5412	1696	chrome.exe	125
PID 1696 wrote to memory of 5412	1696	chrome.exe	125
PID 1696 wrote to memory of 5412	1696	chrome.exe	125
PID 1696 wrote to memory of 5412	1696	chrome.exe	125
PID 1696 wrote to memory of 5412	1696	chrome.exe	125
PID 1696 wrote to memory of 5412	1696	chrome.exe	125
PID 1696 wrote to memory of 5412	1696	chrome.exe	125

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Users\Admin\AppData\Local\Temp\2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-05-29_1cf1b8938bf9b07f55924ad831ba41ff_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d0,0x2d4,0x2d8,0x2ac,0x2dc,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0900ab58,0x7ffc0900ab68,0x7ffc0900ab78
    3⤵
    PID:924
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1948,i,12821759981605501925,10471915988474935134,131072 /prefetch:2
    3⤵
    PID:5196
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2008 --field-trial-handle=1948,i,12821759981605501925,10471915988474935134,131072 /prefetch:8
    3⤵
    PID:5380
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2120 --field-trial-handle=1948,i,12821759981605501925,10471915988474935134,131072 /prefetch:8
    3⤵
    PID:5412
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1948,i,12821759981605501925,10471915988474935134,131072 /prefetch:1
    3⤵
    PID:5548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3096 --field-trial-handle=1948,i,12821759981605501925,10471915988474935134,131072 /prefetch:1
    3⤵
    PID:5552
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4292 --field-trial-handle=1948,i,12821759981605501925,10471915988474935134,131072 /prefetch:1
    3⤵
    PID:5692
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4424 --field-trial-handle=1948,i,12821759981605501925,10471915988474935134,131072 /prefetch:8
    3⤵
    PID:6128
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4576 --field-trial-handle=1948,i,12821759981605501925,10471915988474935134,131072 /prefetch:8
    3⤵
    PID:860
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4724 --field-trial-handle=1948,i,12821759981605501925,10471915988474935134,131072 /prefetch:8
    3⤵
    PID:5320
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4432 --field-trial-handle=1948,i,12821759981605501925,10471915988474935134,131072 /prefetch:8
    3⤵
    PID:5256
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4980 --field-trial-handle=1948,i,12821759981605501925,10471915988474935134,131072 /prefetch:8
    3⤵
    PID:5584
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 --field-trial-handle=1948,i,12821759981605501925,10471915988474935134,131072 /prefetch:8
    3⤵
    PID:5496
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5584
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:6156
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:6264
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:6328
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4436 --field-trial-handle=1948,i,12821759981605501925,10471915988474935134,131072 /prefetch:8
    3⤵
    PID:6400
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2364 --field-trial-handle=1948,i,12821759981605501925,10471915988474935134,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6848

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2008

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1656

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2664

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1836

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2344

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4904

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3956

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5104

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1356

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5036

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4908

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4028

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4600

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1984

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4528

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4088

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4540

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3144

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2952

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5228
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5908
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4400,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=3648 /prefetch:8
1⤵
PID:5996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
a3dc4324bc368c37b6b48ae4de6167df

SHA1
6b02b7ae05d254fe38230a210f194e1f2d7ba802

SHA256
3e51b25d505ca8d4e948a3fc015bed6c16eab9d401d25351b8265fefc03dd950

SHA512
685d7954f2e3a464371b7df1197f511951cc135aae1f7b1cbc1aae4d48d5422849890ef2cefafadb87930d1e3ee0d022a5fc90faaa9d745324e257d9ce1ecdff

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
6c6dac64aad141a680d1d325794d1bc9

SHA1
cdcb44d7b9b6ddc229f9811c85bb0e2984af4d71

SHA256
bb6a1030a8b9e1673ac91a134acbf4b7e3abddc6b757c6afefda4f22410ce05a

SHA512
5d00a9c130dcf9341b86b26c8ce9299e1b5e0556bc20efd0d3a1bf04c1a46eb79e358941c3e78477d90bc056ff29a81c6c6454a3fa53cb58f607cf4b3b3efba8

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
45d7e24c5616cd1567636131d6ed14b9

SHA1
491ff0b60f6b9f5468457ee469bb91a61f987d8c

SHA256
600e3a5d747810a54c1f0133e4f9be7fa40e5a89758d4090695f9b771dba893f

SHA512
a49569bce506960f88c3da2008080abcba0627ff8469f800a9ef56bd1e3db33981e5176a5fe54729107cc1f25381cd1775d841193e2a6b2860b434b88f84009e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ed2ebe139f085719e99dfb0d41d1b254

SHA1
97c8320defe0e97db0e34d67c67e04d55913cff5

SHA256
66f2f96817355b4bff6e4bc6aae12b4e0d8820bfef0e2ad66433d9df22a1b49b

SHA512
a191eb8e98693d801591145e3313e5b3c27ade517f0d6250098fcd0f2399a607991d694cb3bc57ddcca828be329ee727245ad54e49d56ba20da01383a6db537f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
77b06ad01c0a209bd34d3baf983d6e65

SHA1
680e4b311c76025ead2383ae78e2895f8210e504

SHA256
70715dcaa88f5a7ecfa136cfc67095c00ec32effeb82eaee5b9816c2d4555095

SHA512
0ddfa28676013348a5f8e621e5b112a4f04162b13b76fdb212b2b7f1f6e1fb0ad5ac34a467d8fbe54eb527090eb46c67ebd35efc70cdc72a8a753a0614c7db18

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
a52ba0c35954a5ef6b7c1a1407bd83e6

SHA1
adccaf98c03e7c6929051abddc320762684a7afe

SHA256
fdd39b03be1f101b45ec9c2cb8f8e5487a30bb540e3b9a310d69c1180956d0e7

SHA512
3673a3c70f827304121dde65a1d14cfb008d7c899929a7a38e0442d96fe0257d8dcf13dc77281a8be5105a4ba3712a30cdbcc168688e02869b52b330196618cd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
c3992fb0625ea2f28b03905f77a5d96e

SHA1
cece8078e0c39421ff2a46dbbe69bb8dd6ff58cb

SHA256
609dd3772121d46d8c9ac2dc6ecb54d70d69015156e961bbb69b26f4b04e7cfd

SHA512
be55440833fd88241b91ec5b1d54d89cbe87bb6e25cb7c0cc411ef185c5121f7cc49e232cf7ca6743be741f5debdb277e0460afc6e68e2958470c6c8ab34feef

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
1f5a9e1be71d3030501fde3d7800daad

SHA1
b1a2611d00aac67f9e7cd43c57638d7bb799d0bf

SHA256
3d4baa60b98150959ddb0f1140dc5e6fba1aecd74e2f8cd64ee3e8622ea9940b

SHA512
f1090b9c6d04ad6f0dc9466ce4350f9c1a9a511a28ee7953ef3c02d91c785e3aa363207ad872af5ca63b06b95b131ef81f0969093c65d0045f9540e93231a4e8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
478597e1993bb18a06e3672dd210f7fd

SHA1
3fe8ba6e3ace5d65cd9f15f722234946d59869a8

SHA256
0b0f1663a727fd2eef5c03a0d5b4a3891f70295ca681bb4a50ea6718446f259c

SHA512
20099b316a6ff33593ef0337b610b2062ae277ac6d9ee3ec768872514eed98a7c4c0e94aa9c68674531f42a862b1dbeb073acdd08fd05e3fb1c10cc0140724ae

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
dda8aa4d2b8d7f236bf2bd63f41583f4

SHA1
1996d953bd138d877431c40e0f313e5850a6842c

SHA256
36c654c1cf27fb75f467408c210d293a92c272473d235f699e2c4a428ac51f38

SHA512
81f6d42eeb90be3a15098128537b923f5cd3411efb7137924e87dabd158daab47978cad8237b70d97fc1cc56368dfffb5802a6dcb1e7bad5381146c28a70f5c7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c393f346253e52f14b02ca09b0a6ab71

SHA1
51f960b0b53a2f425cb397ab0b479bd516215614

SHA256
a187f6d6e9e2dad977779cd7160615e45b2d7bb525b48e43c812062348ed906c

SHA512
33e06e4e6dc6354815d347e741419831cf28e61da25dbb98b8eab4db25a78476c7c5e21998e2d9553ded7d174195231d27bfa5d6dc5698f2d4d0fcc34571e836

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f210c6dac2b06ff91e54f98bd82346b6

SHA1
a5cf4405495f5a0fe2e9bad5950dbf550d901b89

SHA256
1ebb35c065438eeafa79f7bc549fe4e19fb1d04806ea53b5a20dac900a41fe3f

SHA512
a498df6d5f04a46ddfb3eb540b00f264bbf30d86c35c095ceddb2cab33deb83f83e154f5da21f16da12bba6371119ac7a3c089d79c03078218acd08d65b536c0

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
a1602e09f6dfea2613ccb38f2b4fcb61

SHA1
6b2d5016501c9dc7f20bfc4a9fcf6834c2f7cf77

SHA256
7363d0bdbabb28fda628c0386c6938ba4579fdc4f007c651dbb212d4b9c529b3

SHA512
80bf035727ccb8838a995177ba5bab9f3e36a8f98737ad6170a1bf662173b19af5e912a1faedf3364fb243c8c63167d5fa24c00679958782582f795aede3f8f5

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
0a6021988061213ff6379853adfe112b

SHA1
fa4d0da88e37323b47ab28f3e83a47cf1844451c

SHA256
c2684c7df034635bcb901c93471df2b45a4bb3859bf05c92f21a86e2a4388630

SHA512
05c66ce7de23695e33e804f1a52478d82785032153d9c03d0be2072f22535dea93dbf1c716db68baa6ac285adf35ac9598ee42e11e02961a32a6b51e94da8f88

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
73f659d7e80ba427e00c6a6a1a8d94ed

SHA1
9fb2b46fb4cd5eed35f959d6370325dfe0f7202a

SHA256
f70979c3013c4b7ad2ba68a7255739ee1566f6dbd30f56a84d888771eea3490e

SHA512
90416d4cda0cfd9449fcad1cc15ed01cfb3535e6a57e8d40bb19a98261dc5e8873d1b5b04dc781fa3cd4e2a562d1ef009b070ff89b90b6d30e6ad9c5a6b2645d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
1b62af2e795e4c6b55685dc6b39d402b

SHA1
b759072e52c31bd03dfe3697eb2addabf0868b08

SHA256
8fc944e585b13323204eb55d96066b344559a2297f010dfc40e15ddcf46a4560

SHA512
3283f525c062f0ee613c5c9a8f7306b792158fc52a47a7dc5063cb181d00349e57ac8613a8ee68b85a227e84a1b40b4a8177436f35dc57ae00367667d9d770ad

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
cf0be5a40bacb3335b598f632cf1f5d4

SHA1
ea9fdc3ef48c4dc58b955d962a5bc0e6fbb985ce

SHA256
20e1010d0f0365bfa710633fa6f5b92fa84e218085d2d37539b84f8d18692cdf

SHA512
37f9e9bba116bc10ca789d0c310501f8a89a355761cca56eabb91c85f9509dace0b24568dd9249edeee4e8f72e65f5a14014f892aeb9fb3a5101a833fb273a75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
e646991f9b7863013f4543e5deea2d49

SHA1
7d3ab1c249b15c5bc5761baef819fa96b043539a

SHA256
0cc277125b5bd55a7c42e32f351b5bce3ca6003f28bc0646db5bc6b9b5135c07

SHA512
8b7b264f086ee2d1c1ec1199307d6511ce964890e84312a1c12c21a0a1fac24d6bf005a2ded820ecae3b51b58229a8ce724e98e40b03e1f93d3914948025a76f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
07f1cb7040fb38865d1e0f18585ae102

SHA1
a42a98432643857ea7aa7346e8a239194387aead

SHA256
669f8a79e26accf8ba23fc0a1035b3a6c316b6dacbfde3318b5d327d372d2d44

SHA512
4b2f2f9894de76e838842e38a403f2559f97ec6a7401574d21134c002952b1cc031e1342431b8fb6b549416985b83e295587eb051a7cbe537d97f54f7716d00e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
39ca4d53e5383c478e28be85adcc6c62

SHA1
c61ea7a06abef573ff7aea3828b5ece2ad28b94f

SHA256
aa0e87e0ab5469e52f8468f643b0e5357287e53ff511fa7b179fb905e3d3bb06

SHA512
7a29ee1d41e6050c3e7266ef4f2d2d1f73f72a0868731a205e056c213f2287c232c7b5fea070420c64b91f6b561a0c9c9cdf423ab0286bb7190e6c8ee15d47a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
12b4675de65e9e551bdc650929b0a8c4

SHA1
9c88559e2e5f6187d7c5238efbf9b40a698c6e47

SHA256
a9f2a327a175116501cfea29f28b919c7bc9e6922fb1c07687dbabce5208c421

SHA512
de9b25659e61f44821abe5177be641c8e07e3f5ae2d9e7e061f1824e891b7880e22bab124fd62ed072a4d1ac8fac93c33c7fe0eed39d9d36be3492bc64e9cc83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe582c1c.TMP

Filesize
2KB

MD5
c4d12c24a85b7e1aaf85cad983fe7610

SHA1
00bcb6e962cbc5a3d88689ec2f8c15feda6ff7fb

SHA256
6568b506f3cb4367abf414e66e1e93a4d4e40339dd3a2a1d5ded1f1907484337

SHA512
0d45cd5f36424147b7a67d4f154539d9ddde285cb363a139c5922814e6073cf731d61902a7eb84e9ac6547bcd52e65b023a2f97636072db478ccd04495a59aa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
e28f6448a63d9b2f483d252f53fee746

SHA1
41334499c07025a7b1e4ce6a63149341b7cdde98

SHA256
713078f4d46c37d6d2511653714555f6cd0bd841c089d07a8aeb1b443d60e222

SHA512
0e230ad905e9df9fd3fb6e7fbc77d96c21af6df5952e57d927970f0cda452b270d46d252f8118d48ba16a2fe0c6390ba05abe58be3efc2261b429e70ea44ed8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
1df09faed25397ac91349f6249448d4c

SHA1
650abc8e5817f02f66d73a00724c771841425282

SHA256
d8eca31739027138fff56d14eedd4e2edbf431bd95dc65b2af1d7346142f4c19

SHA512
97fa0f9f0d0d5c221d3c7e313af813fa434a7f8596710a6efade70cea425e2dc76ca3660d4a08bf2c1baaa601458ceb72ab4985b5cfbb3f52fd4ee395e6ca9fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
60cbbbedc81fb4f0676d2c51dc9fa589

SHA1
23d3708c7a465dec64a536e77a528ced56266812

SHA256
9aead7674bece5d7f4beeec5d3b1c86d82a629b16656653db02c710e9c05a1d7

SHA512
688a7cc4988a3134cd896f0709b96fc5352731789849213114e31104b2f5d323275cc70325d81b2c1744f378794ff6ac2ca5311aa498aaebf978357b1155b2ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
9f731a73fbcb3a9f527bc13820434a06

SHA1
e3f964de38665874ab5ea787d26884e922083704

SHA256
7cec2012a03414f34db570acf1bb05e85be60ec34b6105b190f8ec526706bdb4

SHA512
de6cbce146d687340d0c2ea7001b96d5c07976a698d16eb0b6cd6defa6074e23ee15355f08be8c9bfd259d18946e01d581089fc0ea8cda45ff16b117eb47fffd

Download Submit
C:\Users\Admin\AppData\Roaming\b9695acfc3a5208d.bin

Filesize
12KB

MD5
5255f8e3e931a2172f8da5880b37524f

SHA1
0f38e2d00c66cd3975b98a0f110704535f44e6b2

SHA256
b20cf72132433e48163f7c1b8c97922086921dc587b50513d65dcd349c539432

SHA512
119be299fb6513c3e9a8417214bf61f11764ce3586d6d47850e2de1b7cd34fc6874e56ed9a5a8d1b84539ff905a1955d7bd04a83220ba83e4ea8d9d7711dff56

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
49276a5137f62cf1bb82399f6b5ec865

SHA1
425f06653973a1985355608feea7171c309010fe

SHA256
e01c047b3931b09520b9963bf8a1b109e355b8fe705cd7565e447184b9326af2

SHA512
d045a61b03662a818bd5964f85e979d01eaac355a695faa8a9f01bb741f2036f68179143da445759d507c523e0148185f1329112ab5665d056f65e37e6152ed9

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
9c05b53a5ff8f41de9fbc6cd27d709f3

SHA1
647a72d1b5b9d717d0c045c56836aa9e4a5f6051

SHA256
dd051f41483f030ba6b3820f01b93b2c6d3dd7150995a4fd4353ac888bdfe5a0

SHA512
5149055a8cee7b85f90805c42ad9f75c6227c415a965c1a28353b3ec9b783288a68d4f4697c6e379644c8ac09ca60227be5ef7963ca5b71945bdb8c312b4a425

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
2683c5375612ab85bd529675c56ec239

SHA1
346d23a0a207b0c7106f8575a59504e3e30cc681

SHA256
f3daeaae798441e959974a0021c7ca1145bc3e55c6fe20e6b60c2a5c15b51f73

SHA512
d6e15d1bc11e17e8d4a722880aff495edb1ccfd2ad296d869d4460a242dc7a4a8b9b1b9f3bb1a54bb7c52d81316475e24da0dc75cd3b4c53cf613fa209a35025

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e14d4d6ac0b980613c5e6d0a4afb01a2

SHA1
60d231d0f03885a35badcd388a16b387dc0848fa

SHA256
6df744cedbd919497633c9d16834a24ae54a5925dc8f9fca9328cb660f21be28

SHA512
983ba1832546d047456d14b8c17745c95bf4032ee18cb6bc0814d6aadcc9a4910cdb56067740c6972e9872ec1d05b3c2bcc96b8503758115a158c593c968fa6d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
089992c4d6f833c95a05d13e00d625a9

SHA1
fb6e5867552cc357c8af37360f6985e4b9a7c31c

SHA256
2f13186d37b95348b6a3bc88c756b4d5a096b029538d51366322fe8632486e10

SHA512
7cff390eb310c0a7e7d21ec5fad3354ae531210e6cbced7d1b8465dd1eab212e2641b2a74d94651afc5dc06f50402d0c9c5eea61dd6bddfffdc95c067f9d34fd

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
1b72140ae9ed384cab930e387fc87ec8

SHA1
720f4d7e5e69d4c77dd09984f7b92008eb5b2db7

SHA256
da726c5915854948d74a72226cd0136aab9e3ba5085afd81170e4e794842906b

SHA512
1ea96f0d7ced1cec3149f3d1f8e70e60875024eba680ff5bb2111597f2e5998fb66fedfc849c489ae8147faf3689c61843e662eeae2768323bc1eaae9733d2d2

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
14d83ceb78728da7ab55f7d84e753e60

SHA1
ea9ce3b3b35e6683aa11d541a9916b7751acb205

SHA256
3fc5de3ddacbe24a4b3de770461f26ed154945d75088cff142f7fdb872df2af9

SHA512
9a5fd4d2e2855026701a4d029011a7e4aeeb369ea108ffe8055bedc49f0a825c312c17a5473beb273ce3fe2b2f048b5cae936ced15261a07a284dd6c6e9ec54b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
daf2383e6dd258b53a5d1e09a8b5076d

SHA1
732661aa00e0ed6763acce41456763b735982053

SHA256
7502f8b8b5b1e77798992825d7e28ff019e8cc4d1a6f9d390878993117be63bb

SHA512
cfcffcb4f24dd663e1189d74c0fb1a5866062b8c83d0de53cbcb7e7ea46b9909665aa6f4c1df577af67c69cd408755604b2590519cdce9fa45ad222d5efd650d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
6a444f90e775d9fedb343da97d71b4ef

SHA1
9c5f0d5c488a3444cc0dd06a20405dd0d3712640

SHA256
b5d7ea549e95065c9d8fd913ba116d783a97c015268ab338589e7c4559437fe9

SHA512
e49ab3a649329aa54807263d384e2f985c76323a4b4118ca95d71088011466e57ae57253dee3a5244c771894bd8db1271433763b3465270c459628b7c5096d8f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ebacd00eb441036c36ed1c5cbd0ddd65

SHA1
56b0dd481346dac6438fed75f7ae982dba60418f

SHA256
6d20c1ddae004e9aabe4e5fc818ab9a92ba99d08166598b18858b9bd2fbded99

SHA512
efbcb0571ad58565f37b4ef4e9e2a0d2a1ef108008bb772a76ac607ebf03dd5773144251d011fdf6aed4cc7daca43d79e8ba77257b7cee389b02353b8f98dc16

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
742a022c38d200ffced53fa2ff7797e0

SHA1
cb6c55a17c4da63a75bc772f3691c465731068bd

SHA256
e4889fc38c5cba2db1e1da4d40ef2c2cf8db9c561d22238cb1c37a6d047cfaf1

SHA512
b717d7a418c02a0d0afa02034317d87945205baec30851b35624d3b59568f416bcbc9b52ffc39ab86f3ff00aa167f73d7eb0934373613da96897f470a72e9966

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
bf713dd966d7942dd65bf3de50e157d1

SHA1
4eb68359060f03004b8e23c382bf7fb2ee0b8efa

SHA256
8cc4fba092907fced17350065d22311217adcca65e5d586015e6e58873be03de

SHA512
3a67f96a818bcf926dde9e5761506144b45c334215f2f06d72ec1f65094b9d92585b65952a79d404c1ce193a33a855008b838bf099fc08df07bd5e0132311597

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
14de74ce61df6e0034588a964074ce85

SHA1
869c01863f78e6e677227e1665fcaa11d4ad9bb3

SHA256
45d737a3ee7b6f9367a1e826508ab4f690e9613ca6da78b788aafceef17ce2e5

SHA512
98e9437c62347f8a33134e4ac43b3180f2186d2591f31ae7038e5309c5579ed21352426336def8b0a54373c64c8def01fd748c8f9b4fef4c24e0b1e6fcdc5d88

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
44b5843c74a560dc756ba2a37fe32f9e

SHA1
7c5536de2de46f92fb92736634f7e1b5120d8f2a

SHA256
a8189cd2f5fbff0cc070b54f163a187ec126b4a6fcb17592bb0e6d3b16239d3e

SHA512
694991679aed831fe7f4c581862cab81f970e25a12580d24d87515efb41aabc547f2f97ffb157f538d9196e5470b0f5d2bc5e2ce8f016caa7dc4a5796a701f79

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
816e714d00532dbfc11f3f008b3a2d24

SHA1
ea71ac4674fdf1c977a57a6a65a99e5c0ef6b18a

SHA256
b04cbcf7ce087a61de9f8798e6ccf1ac902ab1dc035000a237f3f7e9d9395868

SHA512
5c652780be3cb9d6f1c5e6987573d25abdcee530945192619e84ceebb11d8399fc8cf4a97df6710056d8a5fbb0edb0a858c6f5bda1c7d3df53535b6016750304

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
243a6e602b035bd5d9b7c4df3f006d60

SHA1
7ee3749b707903d7ead375d310a22a7becf9909c

SHA256
b555288f7ea95f093f4d9616e01d8ab55eaf9fb897c54ad0339333609d59aa13

SHA512
b7dbf7d6a829e61003fa993569b9a475f8d9c11dfcf9c73a86f546ddfc1bcb46210fca1c3a3f6365ac6a12b1b83cf2578b16bc29aace7ca8322096e71741ff2a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
cb288f4c796f032bdbeaabf864d450bb

SHA1
a8d8302901486dd17b4b3f18475957335f647f48

SHA256
deb7ab3d1b30d240d8ae470b48a2aceaf59844add640d3945e8222cda53d8079

SHA512
a3e0e434957461978f287624f089c593c4a40a50cea432e5f03c97803eabd41695284a301390a01921d68c838e11df9109d604a1ac8a96ee24c38ef36a82d8f5

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c954259394133e5208543258e6a13409

SHA1
1a16e46b40fdc3a5b3b4824c4905fe14780b6c95

SHA256
56b48134bdb65947fdb4678d40136d54ad7cc028f4b693a0e08fae1b541a0a2d

SHA512
90f364b96f77f2ee389949856b08530b3cd2857c3799370fc374a86b2ce5d55226db773af00e99f5298fdc0412b7b15ea0d3bae060237e5dbcd76f8ca5ae2894

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
de12892063f81f60b11c0497ec332fa7

SHA1
ccfa0530f55d277c3fe6d75260088ae08d5b7616

SHA256
afd8ccad757251c38eecbb67fc9f41af5aecfec62b521b229c5b17e17ba05eae

SHA512
441e809f431b7d1715efa1a6eeda910ba6945b9529a6330cf964a1d8f7233e97893e6eac6758abbeca4c61d315829371fa2e2fa02a5b838d1fb79e7a43b6d7ca

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
c5df8c84c63a38e5a3513947aaf913f8

SHA1
8740b4da5fb21ec4058ed35f17ff15a84601d43c

SHA256
ac85e57cb158f547d8bb78daa3e6f8145389924e4e079024f1ca6450a4d28ef1

SHA512
87563353bfc0cac8e23f198bee01f57c1384e5518997a88f9889caa7485bb4930d5fc62762affb7c1971131dd0c6cfda29d331fd2008a107c26f304f36fd0356

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
a79a6ae2931515c1f37f58c45feb8afc

SHA1
a1886602d2273df0046724a0b2d800bc50de0b42

SHA256
71a4ab69f48de87778994c94708d211cbb9fa67acbb490ed0d770dc929f18c87

SHA512
5b55325aa660721bea5c869bd1f34b86b6a2cdc7283a6cc481e77870dd82cb8dccfc11ba0fe13e5a3e9736b11f6696b00179e1fd5ee63f6c15aeaf429aa1a724

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
6a4c74cb5134cfb4dc239ea2f20a32d4

SHA1
51c9c81e64631e9ab70ea0d6543a4ab714444257

SHA256
523e3d2ce9656cf1d895b6412c2809d779509dca2acf6604b5cc59f02702e6e3

SHA512
1d1eb0f9d34c33207cb91700fac8fe46fe47420a6f8dd3c4a79ff0576cf740e51ac86b8107d2a699742a7441c0ebe742a454927f31363d595e86bbd78cace863

Download Submit
memory/432-336-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/636-51-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/636-45-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/636-64-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/752-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/764-11-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/764-13-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/764-20-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/764-558-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1356-327-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1836-74-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1836-67-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1836-454-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1984-332-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2008-31-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2008-622-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2008-23-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2008-32-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2344-84-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2344-87-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/2344-635-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/2344-78-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2664-55-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/2664-105-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2664-61-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/2664-66-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2952-768-0x0000000140000000-0x00000001401A5000-memory.dmp

Filesize
1.6MB

Download
memory/2952-345-0x0000000140000000-0x00000001401A5000-memory.dmp

Filesize
1.6MB

Download
memory/3144-343-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3420-38-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3420-34-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/3420-0-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/3420-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3420-6-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/3956-325-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/4028-534-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4028-330-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4088-337-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/4276-342-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4540-338-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4600-331-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4904-89-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4904-102-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/4904-97-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/4908-329-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/5036-328-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/5104-326-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/5228-347-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5228-769-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5584-554-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5584-603-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6156-571-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6156-770-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6264-585-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6264-596-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6328-586-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6328-771-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download