bdd04b267037a37ff544be2eff5a22be2039325ca345c5a6bd365bdb0dfe4de8

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2024, 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
Size

4.6MB
MD5

b2a6cfbb711d17cb577501acd0e695de
SHA1

3df99abad7b29aa8ee5c3fbdc6bed1af02b5fd09
SHA256

bdd04b267037a37ff544be2eff5a22be2039325ca345c5a6bd365bdb0dfe4de8
SHA512

9899cc784de0592bc8d5455090150c2a318025f5f70c1b32b52f132385cc31b3f5a5217391b39a1779e6e2b124ed2c3bd2513acba76a2cd76721b87bedf07754
SSDEEP

49152:RndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGV:t2D8siFIIm3Gob5iEIUyuFC4Qmd1

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
400	alg.exe
1664	DiagnosticsHub.StandardCollector.Service.exe
1440	fxssvc.exe
368	elevation_service.exe
3332	elevation_service.exe
1604	maintenanceservice.exe
1472	msdtc.exe
4908	OSE.EXE
2556	PerceptionSimulationService.exe
4776	perfhost.exe
4336	locator.exe
4484	SensorDataService.exe
2448	snmptrap.exe
2128	spectrum.exe
2844	ssh-agent.exe
2552	TieringEngineService.exe
1748	AgentService.exe
3348	vds.exe
3268	vssvc.exe
5244	wbengine.exe
5352	WmiApSrv.exe
5520	SearchIndexer.exe
1952	chrmstp.exe
6052	chrmstp.exe
5172	chrmstp.exe
368	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\62287e558beeeac9.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\java.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133617391472704433"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000671f6a454fb4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007c0995454fb4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc778e444fb4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e158c444fb4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d06e59454fb4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a4baa5454fb4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000092e28d454fb4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000014671454fb4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
3820	chrome.exe
3820	chrome.exe
4532	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
4532	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
4532	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
4532	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
4532	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
4532	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
4532	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
4532	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
4532	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
4532	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
4532	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
4532	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
4532	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
4532	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
4532	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
4532	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
4532	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
4532	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
4532	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
4532	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
4532	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
4532	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
4532	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
4532	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
4532	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
4532	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
4532	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
4532	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
4532	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
4532	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
4532	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
4532	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
4532	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
4532	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
4532	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
3068	chrome.exe
3068	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1812	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
Token: SeTakeOwnershipPrivilege	4532	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
Token: SeAuditPrivilege	1440	fxssvc.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeRestorePrivilege	2552	TieringEngineService.exe
Token: SeManageVolumePrivilege	2552	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1748	AgentService.exe
Token: SeBackupPrivilege	3268	vssvc.exe
Token: SeRestorePrivilege	3268	vssvc.exe
Token: SeAuditPrivilege	3268	vssvc.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeBackupPrivilege	5244	wbengine.exe
Token: SeRestorePrivilege	5244	wbengine.exe
Token: SeSecurityPrivilege	5244	wbengine.exe
Token: 33	5520	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
5172	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 4532	1812	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe	82
PID 1812 wrote to memory of 4532	1812	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe	82
PID 1812 wrote to memory of 3820	1812	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe	83
PID 1812 wrote to memory of 3820	1812	2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe	83
PID 3820 wrote to memory of 2000	3820	chrome.exe	85
PID 3820 wrote to memory of 2000	3820	chrome.exe	85
PID 3820 wrote to memory of 5008	3820	chrome.exe	93
PID 3820 wrote to memory of 5008	3820	chrome.exe	93
PID 3820 wrote to memory of 5008	3820	chrome.exe	93
PID 3820 wrote to memory of 5008	3820	chrome.exe	93
PID 3820 wrote to memory of 5008	3820	chrome.exe	93
PID 3820 wrote to memory of 5008	3820	chrome.exe	93
PID 3820 wrote to memory of 5008	3820	chrome.exe	93
PID 3820 wrote to memory of 5008	3820	chrome.exe	93
PID 3820 wrote to memory of 5008	3820	chrome.exe	93
PID 3820 wrote to memory of 5008	3820	chrome.exe	93
PID 3820 wrote to memory of 5008	3820	chrome.exe	93
PID 3820 wrote to memory of 5008	3820	chrome.exe	93
PID 3820 wrote to memory of 5008	3820	chrome.exe	93
PID 3820 wrote to memory of 5008	3820	chrome.exe	93
PID 3820 wrote to memory of 5008	3820	chrome.exe	93
PID 3820 wrote to memory of 5008	3820	chrome.exe	93
PID 3820 wrote to memory of 5008	3820	chrome.exe	93
PID 3820 wrote to memory of 5008	3820	chrome.exe	93
PID 3820 wrote to memory of 5008	3820	chrome.exe	93
PID 3820 wrote to memory of 5008	3820	chrome.exe	93
PID 3820 wrote to memory of 5008	3820	chrome.exe	93
PID 3820 wrote to memory of 5008	3820	chrome.exe	93
PID 3820 wrote to memory of 5008	3820	chrome.exe	93
PID 3820 wrote to memory of 5008	3820	chrome.exe	93
PID 3820 wrote to memory of 5008	3820	chrome.exe	93
PID 3820 wrote to memory of 5008	3820	chrome.exe	93
PID 3820 wrote to memory of 5008	3820	chrome.exe	93
PID 3820 wrote to memory of 5008	3820	chrome.exe	93
PID 3820 wrote to memory of 5008	3820	chrome.exe	93
PID 3820 wrote to memory of 5008	3820	chrome.exe	93
PID 3820 wrote to memory of 5008	3820	chrome.exe	93
PID 3820 wrote to memory of 4592	3820	chrome.exe	94
PID 3820 wrote to memory of 4592	3820	chrome.exe	94
PID 3820 wrote to memory of 748	3820	chrome.exe	95
PID 3820 wrote to memory of 748	3820	chrome.exe	95
PID 3820 wrote to memory of 748	3820	chrome.exe	95
PID 3820 wrote to memory of 748	3820	chrome.exe	95
PID 3820 wrote to memory of 748	3820	chrome.exe	95
PID 3820 wrote to memory of 748	3820	chrome.exe	95
PID 3820 wrote to memory of 748	3820	chrome.exe	95
PID 3820 wrote to memory of 748	3820	chrome.exe	95
PID 3820 wrote to memory of 748	3820	chrome.exe	95
PID 3820 wrote to memory of 748	3820	chrome.exe	95
PID 3820 wrote to memory of 748	3820	chrome.exe	95
PID 3820 wrote to memory of 748	3820	chrome.exe	95
PID 3820 wrote to memory of 748	3820	chrome.exe	95
PID 3820 wrote to memory of 748	3820	chrome.exe	95
PID 3820 wrote to memory of 748	3820	chrome.exe	95
PID 3820 wrote to memory of 748	3820	chrome.exe	95
PID 3820 wrote to memory of 748	3820	chrome.exe	95
PID 3820 wrote to memory of 748	3820	chrome.exe	95
PID 3820 wrote to memory of 748	3820	chrome.exe	95
PID 3820 wrote to memory of 748	3820	chrome.exe	95
PID 3820 wrote to memory of 748	3820	chrome.exe	95
PID 3820 wrote to memory of 748	3820	chrome.exe	95
PID 3820 wrote to memory of 748	3820	chrome.exe	95
PID 3820 wrote to memory of 748	3820	chrome.exe	95
PID 3820 wrote to memory of 748	3820	chrome.exe	95

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Users\Admin\AppData\Local\Temp\2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-01_b2a6cfbb711d17cb577501acd0e695de_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3820
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb54dcab58,0x7ffb54dcab68,0x7ffb54dcab78
    3⤵
    PID:2000
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1940,i,14241395871512622441,16305847935701511499,131072 /prefetch:2
    3⤵
    PID:5008
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1036 --field-trial-handle=1940,i,14241395871512622441,16305847935701511499,131072 /prefetch:8
    3⤵
    PID:4592
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2064 --field-trial-handle=1940,i,14241395871512622441,16305847935701511499,131072 /prefetch:8
    3⤵
    PID:748
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1940,i,14241395871512622441,16305847935701511499,131072 /prefetch:1
    3⤵
    PID:3360
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3124 --field-trial-handle=1940,i,14241395871512622441,16305847935701511499,131072 /prefetch:1
    3⤵
    PID:2116
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4292 --field-trial-handle=1940,i,14241395871512622441,16305847935701511499,131072 /prefetch:1
    3⤵
    PID:2768
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4492 --field-trial-handle=1940,i,14241395871512622441,16305847935701511499,131072 /prefetch:8
    3⤵
    PID:4052
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4484 --field-trial-handle=1940,i,14241395871512622441,16305847935701511499,131072 /prefetch:8
    3⤵
    PID:1884
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4500 --field-trial-handle=1940,i,14241395871512622441,16305847935701511499,131072 /prefetch:8
    3⤵
    PID:1776
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4928 --field-trial-handle=1940,i,14241395871512622441,16305847935701511499,131072 /prefetch:8
    3⤵
    PID:636
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 --field-trial-handle=1940,i,14241395871512622441,16305847935701511499,131072 /prefetch:8
    3⤵
    PID:5428
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4548 --field-trial-handle=1940,i,14241395871512622441,16305847935701511499,131072 /prefetch:8
    3⤵
    PID:5424
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:1952
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:6052
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5172
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:368
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4520 --field-trial-handle=1940,i,14241395871512622441,16305847935701511499,131072 /prefetch:8
    3⤵
    PID:5924
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1924 --field-trial-handle=1940,i,14241395871512622441,16305847935701511499,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3068

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:400

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3700

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:368

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3332

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1604

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1472

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4908

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2556

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4776

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4336

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4484

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2448

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2128

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2844

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3372

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3348

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3268

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5244

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5352

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5520
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5392
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
10603fac68f596ac1fea5c2a9cf7770c

SHA1
42c8fbee3daafb010c1cffa384f0d43894dce65f

SHA256
4cfcc7d85d208e98a23cadab79a3ba54f05f3aaf56d5b0e8cd3643274a92611f

SHA512
c54cbb98dc0684986963b898104dc2b88aa751cfc6c49f136db0e2c59f6ab052eee4aab5a4214b4b2e7326e6a554fb9cd9e19413995ddbbb8e316caf31ad2670

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
811992917ed259d36f251aa8bbb0f707

SHA1
e5545570e64fc5f0bec56a88bfdb1612f5138628

SHA256
ce91ab1fa8d53b9acf5beb04af4df96e835806cff799e20d40fa5e9b01509703

SHA512
0c5173e5dba19497f6a2a42cd150d071378015d356d1b56d496d30bb824c71f4717f6b2a925dae6040c1146400bbf8c490cbb50d894685c35b6b2f63071ad54d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
8334c3129ab64f7a28ae0d931048515a

SHA1
f5f1e3d7a1c47f3d536f9c8a7bba7b13f08c48a2

SHA256
ab9635344f5d1e7f4dd3fa96ee3335584197182cd2321d46d0efb89640b40ad7

SHA512
a8072a10c9fa5b3df303376e04abf598537637ee56ba6db9a1baab5c238ae7690c8e3e2dc2daa4c67467d43a782549290c958340d429d9c639064f41c2b699a6

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
3652d37e451511a05f78f2b697b768fd

SHA1
c88340706d726fec213a0baa2fb7ee7faf0fba10

SHA256
93af4aa16caa5775d7c8a3aecbdd123f045b5e3c130dd708e8f804058ec5d326

SHA512
4dd5fd1a0e4e79f94f2b4ff168cecf519f63f41c111608425b215dbc0704ef1b3313515ad17e0d98911586917172e8fe31458b41c7b4d6dbc6f2dd381107fd86

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b0852f38dccf146748c125d000a5dc3e

SHA1
cd1ab0af58a3c3c84b1eed9043b1647f7ea40aa5

SHA256
9a6657b8ccc59d45456e1cc81fc7401593d0c1618768aa619f33ebcc9aa92ed4

SHA512
323b91a5981771cf9fce98ce11333d0844aa7e696c088d9af24c5414257d2a1d6a89e9f48ba4a9a525f89c5392217b29bc9629414959de7429a573c68432a5a2

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
aa4186439e5d7b5a56027b9494bbb87b

SHA1
03eb9b62462a7a3aa0b32b2a1ef9455ae8895eeb

SHA256
698f06c7b06df055354f5b27b110b60c1e3e9df441cd08ea4fff602ccdfeda9d

SHA512
1598d5097f4034fb14d7cf312532cfdf4ee55fb97abca0c3d1334d07b680919d9f0c7942bcfde075202f1f8e301f1be9068a3411ad22f7a89eb041048a356b22

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
b39ba0db3efbe4c73eaac1898890b4d3

SHA1
f2d824c66de3a0251a63cb530087f4feb99225d3

SHA256
efa4c3a3a2471d2029ca085f774bd4793122fa9a5c190929dcb33fd325ea0b1b

SHA512
f1e795311fa02bacd214d1500a72837fd3d77d76f5e9c4296d02d9afc18b310943a1aec1b53762bf9d7eafeb368fc0aefb60fe5fa1c8809e73f0ca687147806e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8fcb4d81f5eefd3f8ccb4110850f256f

SHA1
e776cbcc2ba0d834a8975eb4b5d7fb5f676737a1

SHA256
0cb68df41bfa1d2be59b62fc9fc406f442097a98e49583df3d01ef5c59349ee2

SHA512
5c886d18f7bf4e604c7c6cf8f21e6f28ab99651528d080ff5b64b051f796a006939ef320f5217824959ccfe3358f3a9d309339274857560e8fcf82f98bb05d99

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
35d9cf641636b6948341a93dc17ebeb3

SHA1
e2da71d34ca0f52cd1e408f7d77615a1ad3649a8

SHA256
377ac6255aaa2859c02f072bc6da4709fd94c10c7dac509ef825f335853c1300

SHA512
b492b6953590fdda6a019411134afe8c1105066c8d07cc01891744a518f2b5e621ca16b9601ec0b9e22898fa465809f13179450f75be9d1b32f843ed95b96c35

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
c53be85d57589ab24da5d46749ff0def

SHA1
03f6035c3c4dc8298e6917ddaa02168ebcd3d1de

SHA256
1b6a4801acf99c1bd8ff99e33d0a6ba4c4f1988b430e24a3b977050eec2905fa

SHA512
37cf6169a0c3ce7c8448f266de245216a93298ab7b7907fd53c1e32d8ad07ad22ea53e10004a809f934f15918f74add4305e53d18aff9aeb3a016bb5d8af0baa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
6393a21cb075a40fc06edea175dd6e94

SHA1
326d5f6b84aa3f48c2a3ca5c3b11b54f379eb9f9

SHA256
cecbb6dc568a0679bb8800732246980edfd0253edd85dfd58434e60b040d4115

SHA512
cf848afd4cf27a84cb74ead263bf505fa0e08c0df533ed56c4eaba2bf543301704bf5542fc6bca7b438a8aef9f49d80e0c6ee3e85d34f0f1e17cc57e5ffc367f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
0fe4239b382a1c465354a20b53dbe6e7

SHA1
50d198904840e60ee264110d945e2b79523fa755

SHA256
e55223fd14d436c4192c46d8cc3e878dc32cc8c0079225fb90e1aeabdebb0769

SHA512
78bfce8e593ac32f9a72e8a5f83a00699ede02143c56f89ede25391f890eebde000b9e109360827cbaeb0e429b151354abd1c11a1e6cb03e8953d43811a25c68

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
b5b7650b028f61d4a5e82beeaf34f8d1

SHA1
d61520a864ea64c7a8ce51145ac396ee023c14d4

SHA256
9899d4a330eaba128be04db035c208873fdc64bc02b43eefd7d68e2e0ac89ecf

SHA512
afa4a687536f0d5b3f43a8a1e0d30ad114012edf831309d449867ee1071c1cb7027efa7b33810d9ca61e227f6c267280c90112a6f84d0c2d503f2a09e9e0a9d8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
8dc420e638f7eb0f55ac7ee31c6c51df

SHA1
67652ddf8c9b493b70add8968074cb897a26c98c

SHA256
b8df3e56a2be689e706708cb6f523e078ee3d1b1aaad7e64b19e4f8fbc7b270a

SHA512
925cd26ef651a5927ed4ca76761f257643f002cec92aee582b022b10e424dc382d16e2908f2f8d346ffdf19665487e5904b6938756248ffcea98a827e1ed0671

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
08cd6876d88e27f910ece31dce4f0c52

SHA1
68ebf7adc42cc3e56884597d5e818e25c80316ae

SHA256
3823fca58d8ead517e9f18f3defeaccb19ffc1631a85561babcdcdc94f163f3a

SHA512
47d689edc3e87b3a3ce661b4412459d6418ea5e9a3bb7be069fe7be6251fb6a2da3067adcc8b17925b423c032501006ab278e08cd91a92dfd8598fcad0839d40

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\22fa9e90-5513-46fd-8f1e-fd501adf02f0.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
1aad8e491ef1e66846d60bd473e67dcf

SHA1
a63f805e24b427188cf8b35cda7c3acb284254ec

SHA256
b54c1ab356dd449550112cc9be82a7b10813bc6d37f43f9e7d4419c75dbaddda

SHA512
c37950611037b8e58e19aebe0e96dfda88da33d42a5bdd5f5504c584b51f6e1598488793bd9243ca4c15436ea3ae63e4b468496db59f669fb6a83038b48ed9d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
90b8e3c077c7289cf4b7078243e26f76

SHA1
c8e3387c59c20fcff770b846e972a52f7f93591c

SHA256
001c51870a28710313d50d9037f261881517a384d3e502d9112b04ea2e8538a1

SHA512
4461003ce00d03608509d7ab645b933ec95c398623a1d8c6440c8a5b069d32e73aff391a1d3954511dfca7da698c0820970017b66629e3647800e5cc3920f1cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
507933340c955cf5c8f08508a3c08dcc

SHA1
2529b066d93a0713dbd86a154bb462eec7fb2b9c

SHA256
8b873891bfd8344427cc397fc21166bf1c6cd54f47ea05dad8f9db07454a3519

SHA512
6c0fd12fab3a04350ab25c8eb0de667474dfe38a65be165fca07071803dafb7e3a9f3ecf52fe4f3ca11c93f5b7af259e28fc295a715c7294dee95b0cf81b6f10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
7ebd46b53cd5e3704b962c22422638a3

SHA1
b9f656f71745730fdc86d950805eec9eba456e33

SHA256
419c93655efccd07cf024607e4f354c8f9b15bbbaba529f1321a0715aabb53c0

SHA512
95864da6617c753b8016bc9865366284edfeade7054030617efa42434e6f2e8f9dae601db0b2ca6f5b223287e538a3424f8f067c2496d846af090be2ed7a1450

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d0f8e2d4f847ebedcdddd2eb95f5b53b

SHA1
28aa8edc27fffde8c21a0f7f0e68d62fc49c7890

SHA256
05bf0852177afbbe392831e269b96777b5bf433d4f59b6fe63f6c3b5a2a33d52

SHA512
5851d4cb336866ae7a5914b3576ae873d1b230229eb3aca8787c717aef56e9461529ef5e34635c419741289ba9cabcde1082c0d95a6e644809457038d983bbe9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57593c.TMP

Filesize
2KB

MD5
2439032641f0c53dcd64320bfa02af0a

SHA1
a1820031d22a713be8ff0a020783b7bc72860ae1

SHA256
13f018fd7e8d456a16ab52c9430b449ed2f126386dc10abb8d01ff752f92db72

SHA512
d9e02ab626313b138f721b369d987f45e68682f6cf2d76138195cedc75cea2237cf36677173a82672bf54ae9fe480b54f42c76af18e8e4c6cad76da85bc178d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
e7c99db33aa95a31eae12ae62156c344

SHA1
e0174f5acfc948e6bcec3f77cecb09430d03ebed

SHA256
b213e4d700f69eb921e52021b7cdc2c596980285e79fef7eaad700dc60d4416e

SHA512
73ab8388e378b090f2782b3dd40795b42c12dc93951a28ba97c3025a843c78afdc27e385a4c6523f823e887c52bf48f175cb19630688ab94e7a9e6004500b50c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
261KB

MD5
39aea78ef2aa83b5c5743f9e5768d9b0

SHA1
c60d7ce9814ccae3407fd8f5baf9c16047e0b025

SHA256
1c76197433d49a0562c8f7e8d1c9d715c4854f41a29b977084ff43a353f66e84

SHA512
c93273a4b1ee585190668128a5b523e24d5113fba4664fb9494d7709c0b76fd88f137d7e2862a75c8a3bb4016639361816340d086ff2c1dcdabc7de2ed3de3cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
07f0495fc38bdc0df59e798a1ccc6588

SHA1
6a1225d8063ba43cbaf5b28e801017f38fd763f3

SHA256
dd5b403c38d9fa43ed069cf93a9cbaa06b4f9380dba838063db6f9a6c8a463c9

SHA512
f78225fcb135306d380930cee89468f7c5989b4dbe2f02ae77ae87835e81ececbe8e10bc479e6b95af978e3b59860441d76373bfd983bdfae89711299aa7007b

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
9a247f24b71e6cd1d0e66e12c5ded3f0

SHA1
b2e38e4f772f568b485ed0667f65a0f53027ea48

SHA256
484121607787d78d3f55c120a3325b16ae63fe8e424f4923f5abed68ae843a72

SHA512
50be37ca31c205cf0f8c9c5a31216c5bf194c50112d08b3e8a38766341e77bf19f226e9f0eea033232631f6b06c7ac532c4e174c0ecfdc6965cee627bc737d4a

Download Submit
C:\Users\Admin\AppData\Roaming\62287e558beeeac9.bin

Filesize
12KB

MD5
d915466ce859de45453568ed34237c62

SHA1
85b57f51c38cd84762ffbf235c576c0406774057

SHA256
31c87a647637401d44fef86ccab59c080472ac5c320eed028cd9bc0602b83f39

SHA512
826154f8071b296ed1cfa8cf5754f77934c3fb5e5db37fc42f152b62753355d681956aedec8521952cd9151b0b06720168ff9a03d20d7ad85dff5ac87cd78326

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
b4fe97125ac8349c4c10971108b548be

SHA1
745a1d8ae36508245e4fdde0a1c6dfbce849a72f

SHA256
60873c45a28f19a9d300996b33ff01b62ff7e5922958022677904f306e4c3380

SHA512
954fc047b491d52a54cffbd0a44b23bcc7a274b2788c63b69b20300671f0087167320078c183189b83c7dde3bec275216951d57d99b254965ce12c8c5e889c5d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
9643780ab7706734fc5ef47ec3a61f59

SHA1
d5137b196a1362ea5abf66d2d9c383ace6c964d0

SHA256
27ec80dff22fa21478e18817688fb09640ac812c512ceb5d5edd88823043a14e

SHA512
9667f1a708c8f7911e1c9ac5541ae2d2b6d99bf82ca29ab33c0c392a2ca3a2e1f112b2e37ff1a837fe9bad492a535bde86f4cbb80e59e7a62fa60de9aea14a96

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
a2b5b125f494e5954d4759c9f55e4855

SHA1
057a7a5a04c6aef77d4ed37dbfc1003c147fd7b1

SHA256
207e5f1c4b2e6ed6556f2dca62c1e452273eafdaee0f04c78f096cbcde2b169f

SHA512
9d3cc2e66645d37decde4b2f964ed91794900bf5fbdd3b0cb6d0bf64cf2fcdfc94831ecc067e90b7c7e1c1bdea9ad501dd527677205af75939e3899d0d5a62c3

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b1a6b417aacb134eebe4dec29b3cbd1f

SHA1
f03a9273d39960f6b4e8a0d9a3d291f558efddcb

SHA256
f5d0910cde54c8a4f6be85def8760792691718350c922a34ec836cf7b806f4e8

SHA512
c590eb0cbcd9dda9128ad830eb59c9fbe8bba0098bdf20f1d29b2ffb6572e755d9b68b18e47ec7e05604a430d8515b19be10c16404c3ca72d8952a2d222a16e1

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
2070922d482feec083fe68018bf7bdbe

SHA1
7235f2e2f2a979e2e508445ea1388dbf4dbaac33

SHA256
b17e006ac38ca97edb1e65bed76dbdeec443f5274b6c3d74b02b4a845fcc8048

SHA512
f80a2bce947873fd5449d62df618db446308b44906bb983b3d9d2dc8d9e2fd6343063e1b999357d528ca2963a60eda412983622c64aff8ea227017c3b1e6a807

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
98b80a8e68acc46b8ccb71c2e1d8ffb9

SHA1
217a6f125c5e7313803ff346ce1544147aaf39c1

SHA256
4cbfd3158fcc40b4fa778b12cd51890e9d44b52d7be75eb87a1e54200f9c7c80

SHA512
804908660fdf072f9c1618501ba1ff6f6a0a43228211625f25e152946f5146edd5688c50512600c405dfc8529a27c7e32fd6012e5c2b4b1ffdaee200a96ad26d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
56ade67b3fe326f4740f71297918190d

SHA1
4e404313f1aad4af447640ea7139fcdd5e165dd4

SHA256
a9ad790d32f8a820e50228680449d47cdf9a37bcafde3024ccf181a6c6d95e6f

SHA512
f6e437ff3937c629addc70e04d1a55d6c0c14628aa3228d24f303596c1b39c81218f8b053db17984a0c00ecd1b85ebae09d0ba9eb4389bb8ed005d5c27efaa31

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
eba67676a739ad36c2e14037bc680e1a

SHA1
9437acc5ee80a1211ec11a934773ca29f0158ce3

SHA256
035ef560c208a9b3a700c9bad67d750739bb5c92c7de688bbfe20e31aba4afdc

SHA512
ddff6cc55a3d3192ac21878f54a7f4cc953f87766beff7c9ee9865f96f1dcb2540195a00812646071b025c3ce57b660057f21429463dc0f0bfd439dbcec59128

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
248518ee1a5826b7c11cd0c7c18cf82b

SHA1
caee5815a72073364183c25594bc2ae94d438953

SHA256
b7416f2612dbaa7ba63f260a0533f698f201eebf6967df6256f499aed2becb54

SHA512
a2958e8676075e0c92a915c886d491cfa06b0483c5a13b32c657e925f055cca1e0f9d190722bf33fe9a22d72422fb99cb40787ae9867dddb2890beadea07b7c2

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2fd1f9a4dc685fa71a1eeccbbd8e6780

SHA1
6173de14447952d032f34b1f8605f98a814f0b47

SHA256
a2a42dce31d65535e099d3061ec43297407326d6a7cca93e265b362a05508e1a

SHA512
09ff2fd988d0818ebd8622d2810f518591756f3cec86dc4fa7bf4307d65b566c7f13de329cc0396797f6fcf9fe03ff6118de0b65eb076ee909c1d6cb691f30d8

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
e6b77ade8c272008b149746f62aa2873

SHA1
196cd7040f9f1161df5873d3a99345bb49da5b08

SHA256
0bdee7af38cfd08d15e2e0f6662813ca0e1168b70337f67b223aafcdcbb56671

SHA512
23d729a4fd67fcec84984b9d5815502ca975e28ff0e69e1b7aa8b9483b85619111948c7b0dc72d771125c865f5c4a25bfc70884915d926f53191816d6f9760f5

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9e5791bfa9388fdf5a3c756c6cb4195c

SHA1
ec8c238304520ca27125f170782e58d519377b65

SHA256
5f0b7527364d53100e7da8bb85b83fc61f7f3d5f9e65fe0accc1e967609ce56f

SHA512
764a900476d5d6fc9b869e12a5c16487f52f11b9e4e4f1a8a1588a9bcfe4c06264c0f4d1578152ca9d8e16d78d28a5ca4959cf7cf69e31d227fe23e7fd412e5c

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
9d582ce687c39a561a20885c8878d262

SHA1
93d733db1826d49c593c4b4beb09c8b40829b2fe

SHA256
d633038ff417cc4a904cc6b0e369f71fc1c5e4f0bc50340e0321f8292d58c37f

SHA512
60f4e43c22355d90c76c402c141193b6fadd92ac7b53090fb2c891a48f9c626c5d113183756d1a113aed0dec18e969328bf2d25884b08856df38a4e96a8910eb

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
6a15c6ead3444407c3938d6dcccd9d08

SHA1
0f04b4e65d76f1be68aaa6e6419fa00b325a2d25

SHA256
fd23d5d91004e31b1fb3527f03004ed4fc6cf4a803d1cd598732e6f644e60fcb

SHA512
d89e2ffd4cce75a5a94c055848cae9d27963828869a96ed4a9a03a70caab6757b632d38cd44d50ba71e5983087e6e85976c6eb5542a13922da533c0b78536d6c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
307fce7abe5e29917f4cef0a7857bc96

SHA1
f566b0cc31dee39b3d90579d8c2a5f6858e74597

SHA256
d69009e0d91b3c78f8ca94da4daf09733406e0cb3280e4166df1068bbbd31542

SHA512
90a1484adc940418d03f12bbdacb3c0e7f1a9e9b3d8995eb6c325f9a00b88a29f21e844e335757510c2d183b4a93ff75f62d132b7fb991daaa3720e2664a0b81

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
8ae2c3732184644a58de5420be608de4

SHA1
174f54bde7f9c709229212541e244540a0f951ab

SHA256
5528c7135f502c0691def4ef68e2353d00becfe650e52dde136be299f6bc4623

SHA512
4e52d712eb0a990f0c18691c7274f7c6901bf950bd2312cf1b7783d5accf23ea822f24a8cabd5100cb7cec73e12477b7079d02de5e6c4ebf0b15f36abfb98ce1

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
58975b580673d342a2281fee7c5cdd63

SHA1
437370c269add6af5873fdc5665336a185af4fdc

SHA256
e13f4841e2bf019dbef223b377819747bf457c3d03066381ffd3286e74591ed1

SHA512
247c9f46ab5f5afc18196040cc1a8ba65a9629923ed79e98e81affe491f2a4a50e63032662344719c2ecfc3d8529dc1a2c004a5798f662bad1c424eaeed208a1

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
0e0f816766fa32c6fd3d07846d1e8cc5

SHA1
7f43b8ae5244e02925d0f3626c20ed1c6a479a09

SHA256
4ef02ff8a158354a6679a99220f60dc7e795dadf8d48a801735f2badf2140436

SHA512
17dd5066cedaf39108e56a0b7207d87895224bf3fa6490ebbdd822235724074195595eb181b560997a2e4a4c509a3d7d3811c8ac4af419903eb3469a486ced6d

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
0a8c17e97526f751a8aa475e8c8b7983

SHA1
2cb070d16a547e867aca22af457f13c44c17d0e2

SHA256
81519c37e7b764606c063607c2fdc287f28845aed7cce899222c4f714f16f860

SHA512
40a71708d63ea949f7132ef01340b3202eb349119623aa849b0e103e4b7ddbea543ba7ebe98b255eb58e26ac050c09a1dde89327f31deaa77f483dcf16136593

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
9bf99b4ebdd4f14b24219148890faf51

SHA1
cc9c727de6616b5f53c28ee3429200bd63940434

SHA256
64c589dacd6c0243e50943a77ad54a405ff56a13892a2923fc9db237a2d5af28

SHA512
8661c56237966462b3d4f1093afacf14bbb5faaf0205a9e96e79461ff1ac2cb424e7f8b5f850ac93768a27195ecd68465dbe3417effab2265022edbe09967b7a

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
9fa0f00f2bf7f19743ab5f75aea35ddd

SHA1
2dfce9ce73b504fab0653cb8475ca94d3df135cc

SHA256
2bf707073c6f62728dc01e9709e821cfd61243e95a7fa2b27b99e4e0794a0da0

SHA512
2b644754e01c4106cfa002b86404c522a8059d219957949ee670bf94211baebf69e58390ce051373cd335daa4cedadba7eb896171c21e7dba5e0f2a81a03acca

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
bcc2afa77b8b587a16d21ccef214028f

SHA1
156bb1f1c451ce2ffc9d42eb1efaf30f536280a4

SHA256
7e736cc81064e3c258c540f20019b6d4163d2f07a74a15878946e0cb070dc344

SHA512
40c706fbbb9b550fa43f6e7be63cef736907fece7202846de284256480277afbf6f0991ccf963f33638d28056df9040247e3786806fa15480563318eef95bd9d

Download Submit
memory/368-735-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/368-76-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/368-580-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/368-165-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/368-79-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/368-70-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/400-27-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/400-39-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/400-168-0x00007FFB70040000-0x00007FFB70309000-memory.dmp

Filesize
2.8MB

Download
memory/400-33-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/400-38-0x00007FFB70040000-0x00007FFB70309000-memory.dmp

Filesize
2.8MB

Download
memory/400-212-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1440-60-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/1440-66-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/1440-81-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/1440-83-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1440-78-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1472-128-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1604-104-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1604-96-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/1604-110-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1664-58-0x00007FFB70040000-0x00007FFB70309000-memory.dmp

Filesize
2.8MB

Download
memory/1664-55-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1664-244-0x00007FFB70040000-0x00007FFB70309000-memory.dmp

Filesize
2.8MB

Download
memory/1664-47-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1664-221-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1664-49-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1748-280-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1748-284-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1812-19-0x00007FFB70040000-0x00007FFB70309000-memory.dmp

Filesize
2.8MB

Download
memory/1812-40-0x00007FFB70040000-0x00007FFB70309000-memory.dmp

Filesize
2.8MB

Download
memory/1812-37-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1812-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1812-10-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1812-6-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1952-538-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1952-621-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2128-541-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2128-222-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2448-215-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2448-536-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2552-576-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2552-250-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2556-332-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2556-150-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2844-247-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2844-557-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3268-310-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3268-719-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3332-279-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3332-91-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3332-85-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3332-94-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3348-296-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3348-710-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4336-213-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4484-718-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4484-214-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4532-11-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/4532-36-0x00007FFB70040000-0x00007FFB70309000-memory.dmp

Filesize
2.8MB

Download
memory/4532-167-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4532-24-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4532-18-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/4776-345-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4776-169-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4908-147-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5172-558-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5172-610-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5244-329-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5244-729-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5352-730-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5352-333-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5520-733-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5520-354-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/6052-734-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6052-550-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download