4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2024 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
Size

5.5MB
MD5

c59b90277e65757f320dfbd32f204f3f
SHA1

a53dd97b0cb5944f330c77d3c94eadd57de45274
SHA256

4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b
SHA512

b5186ded3280700ba9e7ea3f5ef8ae4221451ee8ae50ac279ab1e84708e5b7a7c352f256ac0c3332742047cb5e31af9ab236aed989f109dc300cf0f32474c5dc
SSDEEP

49152:bEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1bn9tJEUxDG0BYYrLA50IHLGfc:HAI5pAdV9n9tbnR1VgBVmDD527BWG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
4676	alg.exe
4648	DiagnosticsHub.StandardCollector.Service.exe
4252	fxssvc.exe
5100	elevation_service.exe
1872	elevation_service.exe
1632	maintenanceservice.exe
4700	msdtc.exe
1484	OSE.EXE
2492	PerceptionSimulationService.exe
884	perfhost.exe
3504	locator.exe
3100	SensorDataService.exe
388	snmptrap.exe
544	spectrum.exe
1120	ssh-agent.exe
4448	TieringEngineService.exe
1716	AgentService.exe
2212	vds.exe
540	vssvc.exe
5160	wbengine.exe
5296	WmiApSrv.exe
5592	SearchIndexer.exe
5452	chrmstp.exe
5516	chrmstp.exe
5788	chrmstp.exe
5856	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Windows\system32\wbengine.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Windows\System32\alg.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Windows\system32\vssvc.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\496abc7ed590e271.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Windows\system32\spectrum.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Windows\system32\AgentService.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Windows\System32\vds.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Windows\system32\msiexec.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\java.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000056e10ff40db2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007148b5f30db2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000097e75ed0db2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d867a0ed0db2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000017d49ff30db2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000077e6b2f30db2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000df4199ed0db2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030069eed0db2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2756	chrome.exe
2756	chrome.exe
380	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
380	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
380	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
380	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
380	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
380	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
380	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
380	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
380	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
380	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
380	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
380	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
380	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
380	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
380	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
380	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
380	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
380	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
380	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
380	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
380	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
380	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
380	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
380	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
380	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
380	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
380	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
380	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
380	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
380	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
380	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
380	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
380	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
380	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
380	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
1016	chrome.exe
1016	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1696	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
Token: SeAuditPrivilege	4252	fxssvc.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeRestorePrivilege	4448	TieringEngineService.exe
Token: SeManageVolumePrivilege	4448	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1716	AgentService.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeBackupPrivilege	540	vssvc.exe
Token: SeRestorePrivilege	540	vssvc.exe
Token: SeAuditPrivilege	540	vssvc.exe
Token: SeBackupPrivilege	5160	wbengine.exe
Token: SeRestorePrivilege	5160	wbengine.exe
Token: SeSecurityPrivilege	5160	wbengine.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: 33	5592	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe
Token: SeCreatePagefilePrivilege	2756	chrome.exe
Token: SeShutdownPrivilege	2756	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
5788	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 380	1696	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe	82
PID 1696 wrote to memory of 380	1696	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe	82
PID 1696 wrote to memory of 2756	1696	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe	83
PID 1696 wrote to memory of 2756	1696	4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe	83
PID 2756 wrote to memory of 3192	2756	chrome.exe	84
PID 2756 wrote to memory of 3192	2756	chrome.exe	84
PID 2756 wrote to memory of 2392	2756	chrome.exe	94
PID 2756 wrote to memory of 2392	2756	chrome.exe	94
PID 2756 wrote to memory of 2392	2756	chrome.exe	94
PID 2756 wrote to memory of 2392	2756	chrome.exe	94
PID 2756 wrote to memory of 2392	2756	chrome.exe	94
PID 2756 wrote to memory of 2392	2756	chrome.exe	94
PID 2756 wrote to memory of 2392	2756	chrome.exe	94
PID 2756 wrote to memory of 2392	2756	chrome.exe	94
PID 2756 wrote to memory of 2392	2756	chrome.exe	94
PID 2756 wrote to memory of 2392	2756	chrome.exe	94
PID 2756 wrote to memory of 2392	2756	chrome.exe	94
PID 2756 wrote to memory of 2392	2756	chrome.exe	94
PID 2756 wrote to memory of 2392	2756	chrome.exe	94
PID 2756 wrote to memory of 2392	2756	chrome.exe	94
PID 2756 wrote to memory of 2392	2756	chrome.exe	94
PID 2756 wrote to memory of 2392	2756	chrome.exe	94
PID 2756 wrote to memory of 2392	2756	chrome.exe	94
PID 2756 wrote to memory of 2392	2756	chrome.exe	94
PID 2756 wrote to memory of 2392	2756	chrome.exe	94
PID 2756 wrote to memory of 2392	2756	chrome.exe	94
PID 2756 wrote to memory of 2392	2756	chrome.exe	94
PID 2756 wrote to memory of 2392	2756	chrome.exe	94
PID 2756 wrote to memory of 2392	2756	chrome.exe	94
PID 2756 wrote to memory of 2392	2756	chrome.exe	94
PID 2756 wrote to memory of 2392	2756	chrome.exe	94
PID 2756 wrote to memory of 2392	2756	chrome.exe	94
PID 2756 wrote to memory of 2392	2756	chrome.exe	94
PID 2756 wrote to memory of 2392	2756	chrome.exe	94
PID 2756 wrote to memory of 2392	2756	chrome.exe	94
PID 2756 wrote to memory of 2392	2756	chrome.exe	94
PID 2756 wrote to memory of 2392	2756	chrome.exe	94
PID 2756 wrote to memory of 716	2756	chrome.exe	95
PID 2756 wrote to memory of 716	2756	chrome.exe	95
PID 2756 wrote to memory of 4452	2756	chrome.exe	96
PID 2756 wrote to memory of 4452	2756	chrome.exe	96
PID 2756 wrote to memory of 4452	2756	chrome.exe	96
PID 2756 wrote to memory of 4452	2756	chrome.exe	96
PID 2756 wrote to memory of 4452	2756	chrome.exe	96
PID 2756 wrote to memory of 4452	2756	chrome.exe	96
PID 2756 wrote to memory of 4452	2756	chrome.exe	96
PID 2756 wrote to memory of 4452	2756	chrome.exe	96
PID 2756 wrote to memory of 4452	2756	chrome.exe	96
PID 2756 wrote to memory of 4452	2756	chrome.exe	96
PID 2756 wrote to memory of 4452	2756	chrome.exe	96
PID 2756 wrote to memory of 4452	2756	chrome.exe	96
PID 2756 wrote to memory of 4452	2756	chrome.exe	96
PID 2756 wrote to memory of 4452	2756	chrome.exe	96
PID 2756 wrote to memory of 4452	2756	chrome.exe	96
PID 2756 wrote to memory of 4452	2756	chrome.exe	96
PID 2756 wrote to memory of 4452	2756	chrome.exe	96
PID 2756 wrote to memory of 4452	2756	chrome.exe	96
PID 2756 wrote to memory of 4452	2756	chrome.exe	96
PID 2756 wrote to memory of 4452	2756	chrome.exe	96
PID 2756 wrote to memory of 4452	2756	chrome.exe	96
PID 2756 wrote to memory of 4452	2756	chrome.exe	96
PID 2756 wrote to memory of 4452	2756	chrome.exe	96
PID 2756 wrote to memory of 4452	2756	chrome.exe	96
PID 2756 wrote to memory of 4452	2756	chrome.exe	96

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
"C:\Users\Admin\AppData\Local\Temp\4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\AppData\Local\Temp\4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe
  C:\Users\Admin\AppData\Local\Temp\4ab3cd28b07dd0bdf382cfb9abfb86fc178514a401c5f690acee72102e16ba0b.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d0,0x2d8,0x2e8,0x2e4,0x2ec,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff89307ab58,0x7ff89307ab68,0x7ff89307ab78
    3⤵
    PID:3192
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1920,i,12575688798714887899,16613236727327425922,131072 /prefetch:2
    3⤵
    PID:2392
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1920,i,12575688798714887899,16613236727327425922,131072 /prefetch:8
    3⤵
    PID:716
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1920,i,12575688798714887899,16613236727327425922,131072 /prefetch:8
    3⤵
    PID:4452
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1920,i,12575688798714887899,16613236727327425922,131072 /prefetch:1
    3⤵
    PID:4136
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1920,i,12575688798714887899,16613236727327425922,131072 /prefetch:1
    3⤵
    PID:3980
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4368 --field-trial-handle=1920,i,12575688798714887899,16613236727327425922,131072 /prefetch:1
    3⤵
    PID:860
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4484 --field-trial-handle=1920,i,12575688798714887899,16613236727327425922,131072 /prefetch:8
    3⤵
    PID:4104
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4508 --field-trial-handle=1920,i,12575688798714887899,16613236727327425922,131072 /prefetch:8
    3⤵
    PID:3920
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4616 --field-trial-handle=1920,i,12575688798714887899,16613236727327425922,131072 /prefetch:8
    3⤵
    PID:2264
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4880 --field-trial-handle=1920,i,12575688798714887899,16613236727327425922,131072 /prefetch:8
    3⤵
    PID:4060
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5076 --field-trial-handle=1920,i,12575688798714887899,16613236727327425922,131072 /prefetch:8
    3⤵
    PID:5916
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 --field-trial-handle=1920,i,12575688798714887899,16613236727327425922,131072 /prefetch:8
    3⤵
    PID:5200
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5452
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5516
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5788
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x294,0x298,0x29c,0x270,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5856
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 --field-trial-handle=1920,i,12575688798714887899,16613236727327425922,131072 /prefetch:8
    3⤵
    PID:4584
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2536 --field-trial-handle=1920,i,12575688798714887899,16613236727327425922,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1016

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4676

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5008

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4252

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5100

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1872

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1632

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4700

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1484

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2492

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:884

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3504

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3100

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:388

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:544

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2332

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4448

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2212

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5160

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5296

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5592
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6100
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
eb3f8bb4693fccc7124934b507635c60

SHA1
81813a9edfae59ad159e1ba07f5712fbacc1e9d7

SHA256
1a5144a4794afb5b75e2026e336b4fb88dbdc257d2f9b8ccb75b6373c5cf3373

SHA512
86c9514e80b17c07f18055f4306ceeca0438feaa796ae881aa76e902930b9ada16744dbd9a9e4f7a501c79542e9a1504784f3ccfae4a299428552d667d5dd51f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
14c3cb0ac14f80433eb52ebc486d9946

SHA1
8f7be62210e1ee134c83d344f57a44c37df20649

SHA256
30c4a7c6383d55e20017a573f88fe96406e5723ed46bb552d9ebb45c8a7d6c69

SHA512
bf0e37fef5ce29c574b27d90f11fac98b0842cccace27e347e3a674ec7dbcf20e5736a948619f7d9c46f2108c4808c8810b6193059fbf5bb0717031ab1438543

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
5d6453b4574e4c4f1cd7f2154641b776

SHA1
7038e9ae9dafaa569ab3da081a9070299d8411c5

SHA256
78a1e0e835d59116594c7b84795802824cd3ad71f966dec9f7acef9adc1f153b

SHA512
2687308281e3cc2cd50714e53d2487331ac3b0370ed18257253f7c31c2fe9384e7f67920b5d99f59bcc56250f6dfa400f6ba211d505cbd1194dd9a2c4ada4ab8

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ef9d814b5bb6b9918b6dab0dc338a2ab

SHA1
790ca04aeda2730431aaf238e50e0b19cee8b322

SHA256
9465a90dcf7b15bbdbdb5c637b124a5ac94022c961e19cea5b5be4c388cb39fb

SHA512
cd46760e7a94f874153f245d837b119590ff564d23b3a23953ecfc9d90f63bff575818e28ec6eeb1c9a98558641c2021df971430e3e309b98d46a48e4b7483f3

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8573b93ddb9505035f5e2a1fc2bb40e7

SHA1
19ed4a86b22baff303d928461cf95711cefb959a

SHA256
36938ac545f994797b425e020f5315cdbd72e08f5b56e1fc944e6246b513c9e6

SHA512
08e59a678e2dfef53d6cac7f8df96adc273e67417d217ad53ea9e58b930e9692cf0baa4846b91e3c2f49004bfed0b620a5feb78f2eef1f65123f28c511014723

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
db12be25d79132852ee07b154b924f0c

SHA1
bf86a03f8b820116cd7ac30b385171756080407c

SHA256
5b6bd0c95999d821b6aa81ed203116481cc97c8060434be26055a715503968e8

SHA512
e57891ceb3b6857ac78f9a7dacc9ec5377cbf05248b25b3707c807275477d8cbfb48f30b691904ec2474a4aaece4805ef3ae7dd19ec3971742d18eb1a5d4a8a7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
84685eaa8810822dd26cb8a831a1ce01

SHA1
e416f6070606cf3a0ad403aaeb336d4f2e7d00a0

SHA256
1fd39aecfccfc2545ee729c125ae0f9bd2d803f7c9d724c8552f4c2861026c6c

SHA512
54d5bd70ed03511015fba38820759d253aea4ec7f84aa38c600528be1662fcb90293b3dc6be3ae7612b1d537832221330d629c05bb61b21a7d8e7ca60e94353c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
1ca1196765a790c13a1f58a5258ab91c

SHA1
94a7ac5e29030ce63938a080c86d9c3573a47cad

SHA256
057e9e42274d6eb52c6735834feee3a4e363176dc01d4314f7c88dd3fb912c07

SHA512
edd86f14f777528d2841282201ff3e2641d5889ae67f1102a9ec71b37a3677e901f00862a5df7686ca7ad7ec1d9ea639f805c36e5bbf8cc9891d8138dfaf7668

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
b2608b2efe8249e86177a069a295b2be

SHA1
490f7cb9b1853a3c8485fb54c961b7a4c5522bb9

SHA256
d9d28dce12e77453a8e132487002e86b2b0a90bfb3c3c8ff56fb84db3dfa732e

SHA512
77cd5c2ef5a3a77b2dc4c1b7676f7cffeef914b65045eedfb525b13e90b90379c4353345bacf936c8a17619edae825ad91a0bc1d6ed91e65a30a045a582319a5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ed605353723652791c1d0e1602a4d708

SHA1
3ecc2a7b2ee96382faa781557a1542530f38faa5

SHA256
73ff075960aa42adbc6c3890de198afd4ae7eab6cc59df0af051d068e0dfe644

SHA512
94367b355f07b242205f690dc565e756df3f5c63561867a6351ae8edc25afa006e83dc43108277d5edd261c017194fe0ceb96141a7b0143211e817544fae63a0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
071a7fe25a7658abe9a589b36d289345

SHA1
dd4b7d25ea2c3072fb20be2b9d6b6b855d320ccc

SHA256
6c30147cc2b3a2af019943740404ee616b4e032cded20f2ffc0001d392ae8c42

SHA512
16ba19ee8f6063c170463936e2cb37f53b1ce1eba7e235fd5cc0ecde6d91b00dc05569fb24cb77eee8d1884acf99a6505094a76a0f5395e21c128a92d25846eb

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
c02ca08a4473220980acc79636b68be0

SHA1
d9c7d95558f9d217009af870dcd8fd8da32a1b1c

SHA256
546955def409eb35f1898a2fdd707161f6b7484428f9b2a0d32f6f6ed68b7777

SHA512
0772cdedd7b6a93c44aa4a73a742b34211fc85f4023fc36a7cd00744404aa925aebc5d720e0148aeec18bf47a745ed0213ffd432bb6c045ddbcc6c8f07c6682b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
e439b05d3dc662f40455c50f5bc52967

SHA1
53f4c48679710adb3772b245b81644d82db19542

SHA256
623d9a6fc25992ac2bc0cfc087d17961c0d6d6f1088b6b9821208d546a9e38f2

SHA512
3d7c1b101cc32381bc5b14586b67fe4b01142fc7ce076f080ad28fbde92d03f2fdbf9eae6de9d6290d66b9bfc8effcaed647def2f3d77dbea1bbd70f67fd7cda

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
bf8e31ffc4c3a78ca90fe78a757c5960

SHA1
c21eba83d4262fa4f245abd26ec0e28e78c41ae8

SHA256
0891eeef56f0e1e1f18b0339f4fe4f5926abb240f33ec715a0ec6a542dbac9d0

SHA512
bf6df9fd9762c7682c0478efb3c3cc9ce838f0e26063398c154901e92a8c2625eb06bb730d06b2fcae66497f4c9fad55a8725f4722516e8324eed28fe408b40b

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\e98882c8-fd74-4ff9-b6a2-dbf71fd11d4a.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
bd4beaee29e453b8037caff3cdb2b45a

SHA1
9ee36509dfb5107134fe71ed81b96b11d856ca73

SHA256
4aaefa23ea8ed9b8e8e3cb8b05eff04b24ea0d3047485571e56c32412305d968

SHA512
c78d0a9c40147e2e4c3f93349a6405199bf0b34286b2eb9e0f644b87e9ce28bf4af347dcdd2ed47d1db552e13c03483786e43c699e992eabb3fbce4de4660c57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ecca8993047150870094c763386eb4e0

SHA1
e77376a1868359b6270fe9924477d645bd5d7d1d

SHA256
bc2822a5efb199dcc655254b162e8e690280697a639ba9b6901133798470dafc

SHA512
28eee493fd526ef4227665583b28d600954d71babf027c2aa6bc8d72684d4ebe8b84436dd75a7fe29b6d17c8fd91f27a08e4d9deb53e8460a518bd7c09ca297c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
886696b5310cefe72c40f8645976bfcc

SHA1
829239d98d6769f3d2fff17521fd1b0007ab6e6a

SHA256
ce4ddb75315dfc990af93c9dfaf626ace23768520fd9b19caf816f801eb3ffd7

SHA512
cd9ddcddfdd791dce81b9245fff5980171895adb2739a87899fe43c6b728d343693992538d85f9100c0b0d530bdecc25d7f2b680c10146e582fc5690b9f63074

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
c5ab7172010b28a8a85bf683dc6806db

SHA1
92ac6a99b1289fa34338baf8f452ccc5f9237e13

SHA256
fd58c146cd2eeac939bff557234c98b2b97d95ac0f4f4565ba0f44375122ce89

SHA512
88d4f32618caf1e195ee264fbe519c4496c3605935b7b233f4a6a89b7f6c808c3ead3c21ab2683d78501b969c557fd0f4b5d862adc941e9538ec0b9489318c0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
466b0fc59176db5273c5515cc2df955e

SHA1
868cb178b65e2dd2187dea9e78640829dc0e3707

SHA256
4c2fe097ea11f6146dc6d795787c67b503a89d64f9026a0f7401c755353c9cc2

SHA512
f1623b60d750ead340c43d78f130245d90e304beb98c91c17eb9dda5952e38dcc02837213d23de54af763fbedae76d67d9d9156b7281aba58fd68b000f783eab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5757a5.TMP

Filesize
2KB

MD5
17452b252e572ce0e1d15bd52b3d96dd

SHA1
76e11b2ee8ae5cfbac60be4c4f1609879da3586f

SHA256
078b9af3cc02d4ce24f484c105def6fa6ab3b239269d39b503bd592cd8721ca2

SHA512
23c427290207f4496388e375917532a84121cd606cf36e804d2c30439167068e4eb43930ed32d406fa86cca6cd7f38d3c4f2f3f0bfaa9e157c6cec6e1e8546cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
272b12e84c301effa86c27270d5c0371

SHA1
6b5a69eeec8ef05623025e1870e588be0da212c6

SHA256
d48002195ef0fa562642a197d504fb2a143ad84a072b41e5731d93af190dd3a6

SHA512
00511a7c8d0f021d64133b7a74b4386f71e312aa7f4a6c3b7c1fa759f03d2c9bc2e7c8e834b4fca9a363e87e7756bf4a36ecc511804a22a23cfda2a1ee20c924

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
3cd7d656631e396fdeffb8093671d8f5

SHA1
dac2c007b6b2ed1404f8d93d280e662098d37c00

SHA256
d26a2a39ee003ed9fd72e3e9443baaa8fc4535feaf57f742c55e416e64e63cd8

SHA512
57e16d960f68b35b261e724ef98239556b229c7793c6870aaf2e44f31813ca578afacd2a14587195262bfcdb4fd53899c71840e01bf96c3640b25f472596e883

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
fcb6400c6313ce379fd86e442ff40e16

SHA1
f56637aeca91326e17ac6623a31509811c04923f

SHA256
cb04d50b9b7c4b02316ff3e6c930cf584314d6c84ef3f7ee1951b359514cce26

SHA512
3e21001516d50ac98c326d9a4790690bbe99c5a24d92d11aa6744793dc96bb9c10e16ce78d407b5acfce981a0b0fa9989298be0af5ee9382b8d71b701c840246

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
5ee957e746872e93b73f9a5580ecc27a

SHA1
61072930d0b09d2d3b2e85bd3dd2bac22e1a2303

SHA256
e73cef2a0f1c1866f17a54789398df2ea7b0085f15598ec11e59392096bba8a6

SHA512
619e1c422358aba12d259397c6376e390beabe3834c8a63f08d87336229ce3d7a70568e4d3378631fc731f730e6850678edcf9dfc637b41063da960db6f78954

Download Submit
C:\Users\Admin\AppData\Roaming\496abc7ed590e271.bin

Filesize
12KB

MD5
cf140231a225559f09fa08e7375befc3

SHA1
b0c86fe2795864da387b33bc7e013902e2b39065

SHA256
096f0f61c758e58d024042b4161cfd22e6b238b5de539fbfbd1222362c036567

SHA512
c3d4aa9d48c062dcc8107c8e00c39dd122c56a896cc9d9edf7a5e8576b1d81f1ccef8a9538d2eb4e769b0380537caa480644e11bcb044a66771d5539b4cccbfc

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
d3c6bc07f6336c53308c367a05f6cef5

SHA1
56faba64cc1eead60ae191d9bfbb210944487c0f

SHA256
84e6a68f18589abba4b953292f491a69f6a82cd0f7ad2c697ae314e00f008da6

SHA512
c49e53883f06e98983b91145488631858dd9e2b8fc60d95cc708210da19b234faca69400f0094e2a7c1d2a5e4b79ef0223e955d9fb5ac5df2c0a9695bc565838

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
5e016b298f93cfb2cb4bb68a616e4dd2

SHA1
b0d2b401e3b76cfc458785b52730f5a6bcbe5566

SHA256
a25d536fbb9f64b0a8fae47473187fbeafa794a3b52ed377fe15f34c8a6ea51d

SHA512
ac6aa910784df61c25adf2a443c52ac2e5ddf69a383f2ac410dc7c8837fdc0418a0f95eae5f56b04e1c8cfb29bd0545b9205602ed994f5440a86b42c24066e57

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
0016ff9457bf94586d82b6b141544b8c

SHA1
e28279e7228020690b2c21fd623c646add0b1011

SHA256
8ba971e8d9f0cf935a364c0f68969db773ea7066bc571add6427b8db910a223d

SHA512
fcf7154924e9c8a9842d9207407fd64a1d6eb1713be8add37aedc1676989be7e4acd273b645d73fa608416c1a592b766041987d1279389e8b2bc2062117fd862

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
30cb28b5c10eda376bdd9c645eedfef0

SHA1
0dafca62e9459e5bf8eb4b1f45dfe02676f4da1d

SHA256
77c589aa24db1c9010c8b53d2d78cad54ffc2f9d7abcbfaa5c7e378dd233c94b

SHA512
32c0ee11f50103fa1f653f13e32791c71464b15cb7339a39643c44326828da7ac645ee1ac418eb428dce239648ff59b5f8b782f6a56d002bad90db30f7b6f061

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
ab475890d5e282f75a8b98005bdc5bdf

SHA1
c9107def64ae19b604971f7b5a5f0e1853a3144e

SHA256
d1a829e5c820d6269cdb03363a22908de6f4ca1d29d042c81244951ff602080e

SHA512
656f14b73af25989d2608e44af171f5098a1f3063c03edcef49c4c51598e68c4bb26fd0086025eaf6091e9d83fae9879c69654d5e7ac90da83a1fe0d9b3705f9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
e865965c4609279835209b3df32cd34a

SHA1
a843766d608f3953444f82d42edb2cd36678ec00

SHA256
504ca46be6a3fb44c4189aecaa67fc017f6a62693a3d4806e04b4069670545ab

SHA512
99368a61968f9b22b9095a1df58de2d5145e39139ad99ffabd3eb7b11c8e36781f7e9306c995cd63aaf738fe8d0b12aa20ce6da1fb757862f7a21ac858624d41

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
5c0383d885566c437a0595869de570cf

SHA1
d56774224d5abbc447f84d738355df3ebb8fe412

SHA256
f6dd562b865f76f194e20b4d79a40c05cff75d75276712cc726ccaa8aaabe9b6

SHA512
defcf51293835f877b4ff457ba977f677864c59ff7288d0426189dace6ad2222e157f759de7f04bee26dd9f0c030409852454f2ca1de4a0253c7a7b4470efcc9

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
56809327768c95f0e1c4cce688d459de

SHA1
8a57f89f86f452c50ef4bfb361d0a8beeb592ca4

SHA256
33f3fc7eeb29d219b98d28aeda5b9b809d3c94d8da0e23afeb1e7f576d649200

SHA512
5044533d15742be55ae0a1ea423144f76c3616b4c979a5b0a4f71f65890281516c1e26ee0ae2d1b34ad06126403767daa4da37428e4cb0ae88e7cfddcf56c49c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
cde515a21a2628251b60332ae3dd3de5

SHA1
f01bc84fe22891986fdf9c4618ec3399cb86e69b

SHA256
91c0cc0e9b94041b7c2e68004a3261a5852b44fcb7f7d992c4b39b8412211b8f

SHA512
a87e422f678842861759be71f2c028826cec1dd078aebef3259e9ac2f149ad93507d9e7a95e4b8d7669e20baed207391983a9fbf00ff5c204afad984b6cd8039

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c425c055ecf026922081550751fa7ea8

SHA1
26a007e44b3a149eb6397d7202629cf19f04f169

SHA256
ba4d54434d4ea6549d6417923e40928612d676f8659c6688d6a675b0d616c460

SHA512
6ffda02af223405f9b939a850d34d2959b68deb89e5c53af72c53ed357201e40068f6eadaade727226b58bd42a47591a2e8bee648b3428fcae151ed9d756183d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
6c7c163397318d54165425de3831ee4f

SHA1
46676c389976c90c49e5124e8da348c1b1f274b6

SHA256
1f3c381eed48440613704a1972e6ecedc9068300951752030cdb2b206210b39d

SHA512
d3933e7cee890bf1ca4509e870e529a216755e0d6f94e3579b8fded93cc2ceb622eba1f0f997bda1946957e2e831e7acaf77061b03e621ddc1e6a1a43a163504

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
42c88a392cc7d695e7118578147abac2

SHA1
b4854028ea6541814173cdceffb0ea5e77b8597f

SHA256
1818f6258b5de20e8d60dcabc5fd969240f58787b25ee28be0441303173596fd

SHA512
a079fcc148756c277e798dbb9a103db8735e978d91241da74fb589f1ca6f24040ce92f206361691527cc76bc8234f1f4dfb66481238e461f5442605dfef167ae

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
107f2dc57ee36b13f3453a2289fd9e8e

SHA1
f633df29deb9fa0b340801db3ec53f0a16ed3e26

SHA256
9c175e8c927df0298569ada1a8ab2e52a613b5d2ec816806176167636895a7d5

SHA512
f425319d34c55002ac742e4d721fc9cbf1fa03fed71e2a454ece7364e13a595875776877a883f669cc2ed63bcb80275e75f5aa41eddfdea660bc78eb29c488a7

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
7dbaef9bc8eaf3c42b763ff420965c87

SHA1
df1f6985e41046999ac5de626434fd57b093b771

SHA256
de8f721946a1c453aa0b7b55c10229c3cdbcd37b8778812ec3d89cc5866d202b

SHA512
1c1574eb258f546d0db2d9dadad76d3dba3e0928a11d90019ee38ae713497b8a93db01238e0cf8050bd3a1947ae772fc8aca99c43cea83a4c273975e75b47a9d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
fe7c92305ff726a2dddab285443a21dc

SHA1
6e390254e1e54da1659d734a7abf983dbf853173

SHA256
e622b1d19a288f2a67549f057026ef90e4f03d1f88298e9982df45d558277bd9

SHA512
f817031e92b72a53ba5c876dd210ba9ecc7c4e5b31a7bf78ac28868b406a484624d35f24ba00d2731bcd1df7347bee20cc580e1075739a7e663b338ea1e2c440

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4e054b51904756d23d3e1ca5612b1fe9

SHA1
22068fca86de494ea71d523e53af8e34dc19c8e9

SHA256
0f697755e84e2bee89d5edb04903118a011774bd871c3d3ddfe3ef20f8144a18

SHA512
2d81d95d7e63cb72a0c02841ddfba25c0f9bd2c8df6e4c0c44b65771e638a4ea10feae3ff22cbaef1ec501f117908dd129556aae8616a266226505d6639ac6f4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
e44c69a50bfa94e83319c634cc8c8ce6

SHA1
d43ac486dbb4537483ccd70abf3c517da685b871

SHA256
433fafa83ef638194a8aa8fc691256cfcb23aaa604e0396301c0ca05d51f3c65

SHA512
a14cab93801f4ed678e40411998de50fa7398d3a9ba644462ea472f58cbeb02bcbe59ef0240c8b20491bd95458ce00007ff381c2fa64a0b7b90c35cebc432706

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f97fc85230dee3c7b8eda104bddbd64f

SHA1
ccc2d4c8c0542218840518921af6b42b68d65a73

SHA256
5ba4048500da315a812b6904dd8ec1b601b90a546a8068676b721eef3b6088be

SHA512
a7f93d993a51b34bba0227c3b933a1b57c8405d4137c8bd063a6a711187aa1d930d02afe176d94ba93db6427f8ba41d939d2900957424bf9d2a13d7049f2edb8

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
95c33cc1969930fefbdb95f99b2a9882

SHA1
cd2cd226b2c6f6de0bb090f9ffadb8e643a23970

SHA256
53b715becb7434a9ec7cebf218a7397d5c30fb50f6d3ac578728024f00ba194e

SHA512
c5992c3d6c1d20ed54d7e8cee2d3ac42d929812b770ae770881b4d09475b23cdd5afb323f401ca81bee5566f09638581f8e86b717bfdaf11596e7398978070d6

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
9b54255a1f5837ff8dadf5ad99bab19c

SHA1
431704f764f3398009e7e4ad37770b38f1dc62f6

SHA256
4fea41b2fd5ee52296071baf78b1a170236de71abd4ca7aa93e07e6cb43022a8

SHA512
bd8e793e0c10c60fbe348e3de3d34a73996dce699e15afc1b30c80ab2dc8ca939d0ee4647ee0f160769b3a4647f13a32c8ce848bad5d17c6955fac56c46f5b6c

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
267720e4c6460b6efcb0b16ea22d62a2

SHA1
507038fb5384cb698d14a04357ec7d4bc96aba1d

SHA256
eed0cc6657f769b00d2b9a26deb0f776bcc89afc192c4cd071d30f6c694d37e5

SHA512
ac3e244f7a41fe1fde28e2b950b44b2eccc098d52d686fa6526c9621f5259578905aae3f0a0f75ad471d19023ae5d1453265d5cd0087b8100cab59d1d3e65b8e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
232a86f35bb7f1429c1a9bcc5b661fd2

SHA1
0b8c11f7f46a27796a4620fb97bfc1ee682be61d

SHA256
51bf7dc0049f481b9ec1b0d8b7ab33cb9ae88387c7952cfe36915a60f863b07a

SHA512
d1485e34f44bfea3e9e0f08bff9ed43a11f1e28c0432c57057dd75b09588505c508801cf9169f1171be8abf470802ffa2d90f984c8ccdad631b71c9c5bf69537

Download Submit
memory/380-20-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/380-11-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/380-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/380-115-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/388-199-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/540-640-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/540-278-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/544-246-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/884-165-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/884-487-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1120-250-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1484-129-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1632-92-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1632-105-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1632-93-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/1696-6-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1696-9-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1696-22-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1696-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1696-26-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1716-249-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1872-85-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1872-83-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1872-77-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1872-277-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2212-634-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2212-261-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2492-463-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2492-157-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3100-198-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3100-626-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3504-176-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3504-496-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4252-87-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4252-90-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4252-55-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4252-63-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4252-61-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4448-251-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4648-52-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4648-44-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4648-50-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4676-29-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4676-164-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4676-32-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4676-38-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4700-116-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/5100-163-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5100-72-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/5100-74-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5100-66-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/5160-645-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5160-289-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5296-646-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5296-317-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5452-580-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5452-486-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5516-730-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5516-489-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5592-649-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5592-328-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5788-569-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5788-509-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5856-530-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5856-731-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download