025569743112708f82f78e51470f808b9bae480e7f349adb2d8992dc2d6931ff

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
Size

5.5MB
MD5

4ad62d5b653a10dc7290d9a37e60b933
SHA1

24e911cf9d6ee1ceaaf3cff43d5f73ccd2366db0
SHA256

025569743112708f82f78e51470f808b9bae480e7f349adb2d8992dc2d6931ff
SHA512

bd2d4a07d94f4b49c914b4e5f56c42c95e17c0448b9c1f0f3ccfad415cc3179cbc0f72c32d845edd31579e4ea1ac62ac710c8e3d1b80a84a53ccd051af32c569
SSDEEP

49152:nEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfi:zAI5pAdVJn9tbnR1VgBVmrE3Xc

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
3512	alg.exe
3696	DiagnosticsHub.StandardCollector.Service.exe
4852	fxssvc.exe
3680	elevation_service.exe
996	elevation_service.exe
792	maintenanceservice.exe
2252	msdtc.exe
3664	OSE.EXE
3732	PerceptionSimulationService.exe
4960	perfhost.exe
4584	locator.exe
4712	SensorDataService.exe
1588	snmptrap.exe
3548	spectrum.exe
636	ssh-agent.exe
4528	TieringEngineService.exe
2848	AgentService.exe
4192	vds.exe
2232	vssvc.exe
3644	wbengine.exe
2116	WmiApSrv.exe
3992	SearchIndexer.exe
6068	chrmstp.exe
5320	chrmstp.exe
5452	chrmstp.exe
5604	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\66453d72293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\java.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\OpenExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c81c4584ceb5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e18d1582ceb5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000018cf584ceb5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b37e7082ceb5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bef40982ceb5da01	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133619037499806640"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ce342d82ceb5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000075e77385ceb5da01	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
1148	chrome.exe
1148	chrome.exe
388	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
388	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
388	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
388	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
388	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
388	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
388	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
388	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
388	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
388	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
388	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
388	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
388	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
388	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
388	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
388	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
388	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
388	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
388	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
388	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
388	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
388	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
388	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
388	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
388	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
388	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
388	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
388	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
388	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
388	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
388	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
388	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
388	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
388	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
388	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
5536	chrome.exe
5536	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2680	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
Token: SeTakeOwnershipPrivilege	388	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
Token: SeAuditPrivilege	4852	fxssvc.exe
Token: SeRestorePrivilege	4528	TieringEngineService.exe
Token: SeManageVolumePrivilege	4528	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2848	AgentService.exe
Token: SeBackupPrivilege	2232	vssvc.exe
Token: SeRestorePrivilege	2232	vssvc.exe
Token: SeAuditPrivilege	2232	vssvc.exe
Token: SeBackupPrivilege	3644	wbengine.exe
Token: SeRestorePrivilege	3644	wbengine.exe
Token: SeSecurityPrivilege	3644	wbengine.exe
Token: 33	3992	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3992	SearchIndexer.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
5452	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 388	2680	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe	83
PID 2680 wrote to memory of 388	2680	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe	83
PID 2680 wrote to memory of 1148	2680	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe	84
PID 2680 wrote to memory of 1148	2680	2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe	84
PID 1148 wrote to memory of 5112	1148	chrome.exe	85
PID 1148 wrote to memory of 5112	1148	chrome.exe	85
PID 3992 wrote to memory of 2492	3992	SearchIndexer.exe	112
PID 3992 wrote to memory of 2492	3992	SearchIndexer.exe	112
PID 3992 wrote to memory of 3244	3992	SearchIndexer.exe	113
PID 3992 wrote to memory of 3244	3992	SearchIndexer.exe	113
PID 1148 wrote to memory of 4848	1148	chrome.exe	114
PID 1148 wrote to memory of 4848	1148	chrome.exe	114
PID 1148 wrote to memory of 4848	1148	chrome.exe	114
PID 1148 wrote to memory of 4848	1148	chrome.exe	114
PID 1148 wrote to memory of 4848	1148	chrome.exe	114
PID 1148 wrote to memory of 4848	1148	chrome.exe	114
PID 1148 wrote to memory of 4848	1148	chrome.exe	114
PID 1148 wrote to memory of 4848	1148	chrome.exe	114
PID 1148 wrote to memory of 4848	1148	chrome.exe	114
PID 1148 wrote to memory of 4848	1148	chrome.exe	114
PID 1148 wrote to memory of 4848	1148	chrome.exe	114
PID 1148 wrote to memory of 4848	1148	chrome.exe	114
PID 1148 wrote to memory of 4848	1148	chrome.exe	114
PID 1148 wrote to memory of 4848	1148	chrome.exe	114
PID 1148 wrote to memory of 4848	1148	chrome.exe	114
PID 1148 wrote to memory of 4848	1148	chrome.exe	114
PID 1148 wrote to memory of 4848	1148	chrome.exe	114
PID 1148 wrote to memory of 4848	1148	chrome.exe	114
PID 1148 wrote to memory of 4848	1148	chrome.exe	114
PID 1148 wrote to memory of 4848	1148	chrome.exe	114
PID 1148 wrote to memory of 4848	1148	chrome.exe	114
PID 1148 wrote to memory of 4848	1148	chrome.exe	114
PID 1148 wrote to memory of 4848	1148	chrome.exe	114
PID 1148 wrote to memory of 4848	1148	chrome.exe	114
PID 1148 wrote to memory of 4848	1148	chrome.exe	114
PID 1148 wrote to memory of 4848	1148	chrome.exe	114
PID 1148 wrote to memory of 4848	1148	chrome.exe	114
PID 1148 wrote to memory of 4848	1148	chrome.exe	114
PID 1148 wrote to memory of 4848	1148	chrome.exe	114
PID 1148 wrote to memory of 4848	1148	chrome.exe	114
PID 1148 wrote to memory of 4848	1148	chrome.exe	114
PID 1148 wrote to memory of 1448	1148	chrome.exe	115
PID 1148 wrote to memory of 1448	1148	chrome.exe	115
PID 1148 wrote to memory of 2200	1148	chrome.exe	116
PID 1148 wrote to memory of 2200	1148	chrome.exe	116
PID 1148 wrote to memory of 2200	1148	chrome.exe	116
PID 1148 wrote to memory of 2200	1148	chrome.exe	116
PID 1148 wrote to memory of 2200	1148	chrome.exe	116
PID 1148 wrote to memory of 2200	1148	chrome.exe	116
PID 1148 wrote to memory of 2200	1148	chrome.exe	116
PID 1148 wrote to memory of 2200	1148	chrome.exe	116
PID 1148 wrote to memory of 2200	1148	chrome.exe	116
PID 1148 wrote to memory of 2200	1148	chrome.exe	116
PID 1148 wrote to memory of 2200	1148	chrome.exe	116
PID 1148 wrote to memory of 2200	1148	chrome.exe	116
PID 1148 wrote to memory of 2200	1148	chrome.exe	116
PID 1148 wrote to memory of 2200	1148	chrome.exe	116
PID 1148 wrote to memory of 2200	1148	chrome.exe	116
PID 1148 wrote to memory of 2200	1148	chrome.exe	116
PID 1148 wrote to memory of 2200	1148	chrome.exe	116
PID 1148 wrote to memory of 2200	1148	chrome.exe	116
PID 1148 wrote to memory of 2200	1148	chrome.exe	116
PID 1148 wrote to memory of 2200	1148	chrome.exe	116
PID 1148 wrote to memory of 2200	1148	chrome.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\AppData\Local\Temp\2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-03_4ad62d5b653a10dc7290d9a37e60b933_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2e0,0x2f0,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffc9c6ab58,0x7fffc9c6ab68,0x7fffc9c6ab78
    3⤵
    PID:5112
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1912,i,3427577925613225546,12824428494302293460,131072 /prefetch:2
    3⤵
    PID:4848
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1912,i,3427577925613225546,12824428494302293460,131072 /prefetch:8
    3⤵
    PID:1448
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2216 --field-trial-handle=1912,i,3427577925613225546,12824428494302293460,131072 /prefetch:8
    3⤵
    PID:2200
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1912,i,3427577925613225546,12824428494302293460,131072 /prefetch:1
    3⤵
    PID:792
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1912,i,3427577925613225546,12824428494302293460,131072 /prefetch:1
    3⤵
    PID:3140
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4308 --field-trial-handle=1912,i,3427577925613225546,12824428494302293460,131072 /prefetch:1
    3⤵
    PID:5256
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3776 --field-trial-handle=1912,i,3427577925613225546,12824428494302293460,131072 /prefetch:8
    3⤵
    PID:5768
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4640 --field-trial-handle=1912,i,3427577925613225546,12824428494302293460,131072 /prefetch:8
    3⤵
    PID:5820
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4800 --field-trial-handle=1912,i,3427577925613225546,12824428494302293460,131072 /prefetch:8
    3⤵
    PID:5836
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4568 --field-trial-handle=1912,i,3427577925613225546,12824428494302293460,131072 /prefetch:8
    3⤵
    PID:5932
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:6068
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5320
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5452
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x90,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5604
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4532 --field-trial-handle=1912,i,3427577925613225546,12824428494302293460,131072 /prefetch:8
    3⤵
    PID:3396
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=940 --field-trial-handle=1912,i,3427577925613225546,12824428494302293460,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5536

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3512

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5072

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4852

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3680

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:996

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:792

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2252

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3664

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3732

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4960

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4584

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4712

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1588

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3548

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:660

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4528

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4192

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3644

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2116

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2492
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:3244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d8848f71d845a35a493ded4d817ea0b9

SHA1
87d54676b891e5c2b16480e526850ff4be98a60f

SHA256
041c31548b0e3114f71e8ec3dc23197904335d4cbc8759667ad62774bee22409

SHA512
e1a81fc7f16cb8cf6a569003901595f961d837ffd1125c37eb50b1df77eafce3a72aaa106d61c19f8edb22d6c586078b4595048a451ed5bcd88de85f18cb957b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
7b0fabbfa049d57f511e9692336c75f4

SHA1
7fe85d3e40f7a2017682c321df65dfe8c935a877

SHA256
8b4e97fac4c1fa3e72db8b6c19165d0a258684e6a35ae518f46f5bb294abd841

SHA512
65892ca18aab962e602109c5cbb59e04c1e5ddf86637b8fdabc7a5410e20002c35e16a5b92e2d72715703e21303c6ab3a82bf1c49ebca98710dae70211d0e1b1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
c3997abe673755af4f07275d387cf82c

SHA1
f4edd6eae748984100eebaddf45ab4a68eac2edb

SHA256
5116c4bb478c2b2895c24e42260cd5d644f009359e3e9505397b726ccf60800b

SHA512
03016e42cbf2a632c8c9cbc988a6bf4800f05586a80a1fb9efae7932d16ddcaf8b8727a727f97bc1e74e33682c3d9758b877a8f44fd83ac2085f6d641ee79846

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
2675d4beeba9176ffdb2799bbc186bf0

SHA1
e73a94591d79f097f9069625da0acd63656f4a4a

SHA256
6dc54135451a4dc55fdd11aafa6043e77d064208611bbb2716679410b4fe3553

SHA512
45f5789d514276df8aa203249db663fd7dd2f62a267b82701bb54fbbc2b4f4712210a06851721f6f6d864ed9b828158749fc030b050bb4db1ea5fd9e865fa761

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
f5052aeff7379a1537e3bcbaaf8d9627

SHA1
def5aa2b063feeba3176b9ade7021d776ba132c8

SHA256
904048eb51d21e6a61219cf103400325725b724f7f234d9aceb5ec48118269ad

SHA512
cae1f3c13af0a339b606fa5898d0594800149a4f1d402345f8247eeec1c33b1a1b66555d7cee386d49a8d91a2a83f55ba752a8c992a8efa75544abcc8fd76caa

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
7506d73aa9fe9114c74c0b80bbc372ec

SHA1
b48f8100ce735235f8fc4237609b2c702ebf1ecc

SHA256
baa3f04c72a27387a3785a17263986683b17f1d0f4ac2d328d536db34c184853

SHA512
8aedb5e1c0bffc724fb3a17d096629809d219b58ef311e8b37f0a2afbe038f77dca659f0323fafaf9ce54d6d426882763848e896be74a82567d105ccfd5425a4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
e118b1365f108d2607e45e1d0d40b284

SHA1
6dc310f86bbd82e49e1752853df7672916590593

SHA256
8d340d0c1a05992c3027c0d0d7f36793eed2dd86b04614fb605bd0d81ac8b0fb

SHA512
40ace0828a77776e5a05d6137c324d06a1d5af02423f01757a2014dc21778a8d4d2765ed15da29e07ca3ccc3419c3ebaafd4aeeaa18902a1b7e1a3e581661cd4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
4cf7c5d7d6ec46c6a93e3cdd3b33bd87

SHA1
8ba1a1ecf577686f802083dfad64db25bf2372a2

SHA256
eaabeba9069ddea31837b4a61269571f0be0d622936eb7091dbb3a62a2c7ce09

SHA512
ab8019206290d1dd62a5b12ca9b312df1aba55e356c6059b362ffe363220ed49083aa4b320fbeae8d0014c2b246e11d9b4c95c5ce119187d4c442ee02bf2c7ad

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
c5f390d51961f4f48916d239d227ecad

SHA1
158ac0275263c82cd06c096ab619af362bf8fc15

SHA256
f6b77a5d9fe6fb47887826aa832be541703fb6658d05e0b7a211d1c464e7d589

SHA512
7bc2e2223e38f7609beb36b515b73a34f9ed63834254fce1610db23aaad22e6e5f49ad2211a6a6dcede71464c8b4d254a1cb48edd8221409362ffdfea80c81c3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
6e84c098e9f5d8141c4f4d4961db7e62

SHA1
b30944d5ae8bcd3743c5b78fa045c5e112d839e0

SHA256
fe7429196d7e9ed42872eb337ffcc70181749b2a4a3c27f53ea8b577c236825f

SHA512
31746f19251e852d0b2ad0fadf1248b066167ee1a0567e12f7e4a972cad9435e4f11fcc81fef5667fed3a2e16a54ddad1a97e159d069e816c488874bfb7c9eff

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
733f4d09a2d791d3c7ffa0ee21df5ee4

SHA1
eb45441c6b2e5d8fb3b6956213417849b81e2506

SHA256
13d1557918faaf003312f1a85f576b349978574c7e79033f4722102d74a70595

SHA512
3795a0d3883d990fbfe06f7c8036c427efbcbe79d110d04fbbabb775860704af3b9338af1c65f77e37a4cfedcfb5ed4478e73bc1e623ca79c6dc29897e95b0c4

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1821e1485f8d970650e743cde5395d3e

SHA1
24f11ba8f3c46792ff2e72ff5a41b2884c633d94

SHA256
95e6afac84c397348ca09a6c435419310db7a4693810a88e6690beb8e99594aa

SHA512
a9760e99309dd3eebad0f72b78ecef75266bd437414be1f0146535452e82b0563e38c8cb0d40607c541f3cd4cb76fb993725de006e5ade3d07e5fc03b886fc36

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
aac1b1d5779eeaa0b1862be4b8a46fdc

SHA1
e39f058ddb5e8756f3dc0c10efe687dd23d68567

SHA256
c422edba08e7c59f54b99858df6066cdb26bb73b966945df8ba2c7d2d2c14e83

SHA512
47fc7018970eb54bb4919e947198eb06a99a85e1e1a06711684097b0220a7eaefc614fa071bb615ad0c8d719aa7bb76aebeeae6437e6042f6f987a574e0f9808

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
241343e443642e6543da5d1e09792655

SHA1
14f06d8c1d8fb4d539b7a5f13a0ee249baa51b71

SHA256
64a62a200dc2fa9da6ec86bbc1edaeae452386e85a92cf0677978c07d7f8110c

SHA512
14f172c90871e3df3f7870b18ed7c4201fe7c6fec0d03bf65ee5bb191e06fa5c24dd341c67f9d97ba4858f8f3debe1d6f90efdc5d9301cd134602afe698659d9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
bd3c35232fdc067266c20d172cc2e43a

SHA1
a058acd281746a3e929c3924c024b51eecf9d30c

SHA256
9805e40e4d352b1d738aa0a2eeb1d0f72237f215eaf94b7ea4a282e3a6967caa

SHA512
d465ef51c919d1493af9baa417b927124b99582b9e2244567d55de4b3c6e173e43c832fd06d071f7d553d79648c976a9db7f3c30ab59f6f37bc166163f39b48a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
26a1a7a3f6e4cd2200eb24c0a8f9dbeb

SHA1
c3f16eff4d455389d9295336b82415bf92055ef5

SHA256
90adbc2641b729a0ae34003efeb1bde5b822d379f34d8d5c2775e45f4f3a7f7f

SHA512
397b98e926cbbe0f47cf04ab0061fcf736a7dbc765a78f68bf5251416327dbed040acab6db3aad7fcc6b9b4fe7728e369d8c6ab5a49e5777bbc00851ff2a2c93

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\92b75460-2382-493b-83ed-5254ceb0fbf2.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
49680869a65af839bf04b42897255944

SHA1
36ced26296f65ef4b862066d927e25ad29dd9e36

SHA256
2126e1eef53b4fa73975b786d1be7a26cdf4a1ff097c41aef6ef27eb13c5f616

SHA512
325502ae907058f8b28c27d2d3481bf7439f8ead6ae06be76386e6a68004c9d12338f0f8ed124c3d2e9a7f1239477bc5ffa9a17c4d589d21c423759ed5ced282

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
be950280053aba52e81c4de648be5716

SHA1
82b8bdacba1f898728fe0988f55ae8c92bc3b777

SHA256
e3617439a485476473f6a156502060f7b3cdb6203e1920fdcd0721a046084eb2

SHA512
ecbc5d5415d98485ce2c6f9691daf61993070a1076f8849f389ed7fe6309bc83b81e28e041e7f913e24999e3ec27e6f59f487deeb9b87298546d0bf3a80a9377

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
23e6ef5a90e33c22bae14f76f2684f3a

SHA1
77c72b67f257c2dde499789fd62a0dc0503f3f21

SHA256
62d7beeb501a1dcd8ce49a2f96b3346f4a7823c6f5c47dac0e6dc6e486801790

SHA512
23be0240146ba8d857fc8d37d77eb722066065877d1f698f0d3e185fcdae3daf9e1b2580a1db839c1356a45b599996d5acc83fda2af36840d3a8748684df5122

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
6b017c4465621f43d7d72fb7ed1621af

SHA1
6209b7be448fd481ed37fde19e66c9c1d628c824

SHA256
8855a123ed0345847e3bf520a903f71da140c61f776f3e1a7744eac64bba4766

SHA512
8cadef9bd0b5544b3e34148fdab9eb022b862d252fdbfee846e3130b4c917a8c50bfdfcc5f7c8b61af09f71c8ac49ce0de6460735a35393005478dae874dee1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
2d02f7b5a71a6c079c000127ea8900dd

SHA1
abcde89f2ff75beae7f305a2c1082d7f2389e9a6

SHA256
596f613de78b07fbb0e8eb4335bdcc83eeb1cb87c859d87d000b8e459148aa95

SHA512
6891a4e33a1596c2326ed085b7a53e18e8677ad6e532e907b1ff6cd9c0ed1d1f831f656052b1e954fa9b88b1f366b9ba6fc3afd67da4ef9b768d1f70a3c77697

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
794c6122543e680647aede9a30f2ebb9

SHA1
a423428197d10a47e7a29b209c1e2d019108b55f

SHA256
31c5d6dda41551465a6f6f8c91bfa40de166f8501de1f57e25f5f0edb5b5868b

SHA512
ad80b1ccdf6f44b889d4ecfc150ca2bd552bf293aeaded1bac26975e762a8c405c398647270ccfc32a1aaaf5feff6699ff7ee3648bd2b9a4a974ed389e0b1384

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5790b7.TMP

Filesize
2KB

MD5
8441fa327ce1f6c12f371a1535e655be

SHA1
7ccca62179f1eb9a2d47c3886ad8ad4bf5b15071

SHA256
975c8308bab1dce91143c9ad18effdd216bc367fccb3195ec2d4fd50177d2158

SHA512
986088d4595dc5a9e166ecc0b439a878a24d512f236b2756e377050c0cc7423143d3aaa3033ba5163b28fe8551313ff985d6df2ab109117186e878ca4a98d0a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
3c7f8680c3d2c7b57ede470f08af3e09

SHA1
5dc143e6d9f4c0b1936a3800dcb71f749a84483b

SHA256
bc1b97a6dc5eaa9d70cefff6d774d725ad93bab0a5d4c811d3aceba23fe2949d

SHA512
df97cccc3f4145ffbdc54eaefef65617e3a0ea02bfee6aac927367a664ef019de3283a723f0b43e4aa00bf537119447ad778f886d559e7e54d0e5bc1d40f2379

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
681ab862226cf63537125baafc283456

SHA1
35828509f45087de7d2101fb95352b97dd92f04b

SHA256
ae32d7cab39ca5819cbf53e0d952ec585950fd68364684be54f096629c97c913

SHA512
8dd42a74cc0b5c8c2dbdd3cb3b3087ccef02bf62cf11f7396bce0d99192f1a6da156013f1fe2a8061f98dc22d518f2a2db4bcf02b79e9024ed663840d2af4794

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
c6302deb3f9c15c3e27eb9e3e84e873c

SHA1
a9dcc9b9584de6c21add472e8a2d6eeb6c1a4f98

SHA256
447eaf4091e4df71ea674c5cc4569269956f08b288cb658ae0dfc78c7f2725fa

SHA512
2c4e30bebff366ff36a08305b766b8a0a3fa6075bd05d158ce94e05881252275cf791397dac330c3724176057621cab9559d6a36932a3849bf6f5bc3ab9401ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
ae50b96788795c5008ac4a1b62eadc0a

SHA1
92406b3918dd6323469b30ee9f6974b99b28f949

SHA256
dd79d0e6325729f0ef10dc7b66ffbffcce0245d1bded3d5bd9e84a6ccb6b82eb

SHA512
5f4a3b5e28dede34d268e9476876a305e754ab68ea661a90b2046464ccd9ec18ce624204edc5fc1d8eda387c09e2b6eebc5d5e43d44e7f2d5630e77502eb7a25

Download Submit
C:\Users\Admin\AppData\Roaming\66453d72293b476c.bin

Filesize
12KB

MD5
5b49267a486fa09912eafc108f8c5f54

SHA1
41b9bbb6cf0eaaf2ebed01cf361b5fec6e01e146

SHA256
90c961e448ef1b62f1c298b3ae156ed24ba4a398be27392e650fcbe7aa5d47cc

SHA512
31ff54688efcec165f1346213d900ea36cf863efab03c9c384bbf31ca4acba736daf8d684874b9ab2234f6b0af7dbb4b3528864a9466c9a48551fa8913ea267c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
45d91adacb4e0efcfe907659a3b55e05

SHA1
28b5599509d10a356d6d36e5f07c773c172b18d2

SHA256
1a4ffeac856d97d69e76e45b1c4b8af155c8ded964229234a6d49b50aef82dcc

SHA512
4c193d30cb4991e42008e5f2560a13df784567fe12d474d69d1929c3c44b8065ad2cbb55363ec86f733fe96eb5a3b816e649d4e8ce87bb9d554104c6ceba96d3

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
95e3669a0d426dbdeb60d27a28c9e64b

SHA1
efd2f2a178a1066c971a20629a320dd304bf0409

SHA256
ecdd45d3de9ef1f234c0a16b7f665213d860143aa075c98d0ede40e1779a9197

SHA512
281a279487bd765903cd8727a88b14d3e8d51e7de86ef42db6fd4df6aee787d3ca3951802ce1b8d312464237706420c3dd2460e47736367aa50e49c666a2f371

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
08dcbb43e3fd769d411ba06426b764fc

SHA1
a3f8839e96bdd258936bfd3ca614b3672c5803da

SHA256
ce624df0044451659249e346f9558d7e2d9dcfc81c12e0798cb5f34710776145

SHA512
b10a6195dd6a70e70c816859ef9bc8f70b2918f5606484cb6d2b2e63018ab3cd9ec18291f665e6f983fbc1193b2fe945d415803b195b443c8ef503a9a1524d96

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
9af78373572c6bac701276ef413afd58

SHA1
354a2f64dc3bad6b7a0ceb84a5c826c3e7389f43

SHA256
a7f07624dad4727dc7b8dadacb0538aea00d9bfdd69d94a72b68709e81f33d94

SHA512
7abe1a1356d2aa0487eee7bdc10179458f50a020f508c4010489f33828b383973576b93a3f1ae9c33502fd431e90857c7d636486ba8facdc6db84f2e2b43f102

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
9317aa436e25c630fcc53c206292d6ad

SHA1
4e3a02c9572691d3629836c522ca653b05de62fa

SHA256
d14f983a64611517d11508853e55ed3aad0e576a60fe42a1af618ecd32ca61d3

SHA512
7c81b450bae7f217e4a69c79985d66eda44d2f9a609c5255e64b2134dff14ca03694a0259ccb7551a557fda4360e77cc1e02cf30dc0f1e35e1519360b4933755

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
fbd498c98f4b6fa1d5113615ae413f51

SHA1
e784b55487e0f290e1e9a3be2843dbb1044028d7

SHA256
0dabc302f1d2f3d10926e316fbb4060f1ab79a0abf5138409e5af866f3e8f903

SHA512
da5434808e001f7d05481fec546277ed7a8a359d129d1c0fa1847ed148fa0560ab77e0270d7f2552b4e27562b78f116060b310522322540bf22866d079a6c326

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
3d2d7cb90ac0c225d8abe5bd0ce47066

SHA1
17e3b411758e7bf004fd0fac4296d2ffec373295

SHA256
ee4185ecc3459185a8c0541ffd08728997f6f080d7b864de4b9321b3250263b7

SHA512
3c92ebeaafe49050cf690737ad3674fc9d9bd9a78824f8790346021717b22a74222e0796bf23d1af15e7ce6e35830f9a88120a98518e47f3f1fbcb2876f852b2

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c43533f2d6f369868b646d066dd8716e

SHA1
f68befbee5cd9ac706c10e215c2744f31e325028

SHA256
6e8b69e3b517cde30ac804e829df017b2ccf2670f9c626a9e4aa4fb600bf2e32

SHA512
97ba20d2803eec1ca6a7067123ee1a875213aec5d80b0ba177f4a0485aeaf75ea7bce73ac2fa0f7faa8c0b60993607bf91560711f51f3913dec09b948d8abb2d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
cc112f88cea2aaa1d45d6fe0bd9787e4

SHA1
69f1da743e46ec3cbe4fe9e9f49bf55d5359152d

SHA256
a7661d3ce6f8e85b4d22b8235b508df4600b403b1667d39e4ba229dfcdebbed7

SHA512
344451029a378c41bfe11a487cc12ab50d94201eba9abbac9386c40a61ae97fac7cbb390f2d3edf524a965e92a7628b3a134f0c89c006836bce5b394d774a15d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
1decb9e5c3f38eb427ee29f49da09585

SHA1
aa7c61d3c74f29fc5d7a2d55834400d6a4f48bbd

SHA256
41f4a12988e31cf30c5c446fffab46e031f0b986bf249a5b0c7d54f42f342699

SHA512
72d5a47fd7b0ca1a61bc90411af4a37552dca964dce057ea35e80c12e3eaf7e5f77e9317a5905be43b1bc2590c9a25d53a50e94b3ca1410b57ce78361da4572b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
09217e166ed83234461797ba4f25a38a

SHA1
91fc78d611082fc55a2cbfa26ca370a3c1be6a3f

SHA256
17c94d015b736f9280d49fbabf568e306278f97388958557b466d25319d1c6e4

SHA512
f34fbaeed9e777416cba8917b37586e378e8abac8db1269a62de0f14f4b230c8ade565a195d5bbead268da82cc8df0c9c5428e5dfd01bb3d2e6e1db0db05a47b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
868f78609a170b65ad3215a8bb969436

SHA1
1ededaf480759bcc11ec2ffbadb8bd9c28373b0f

SHA256
5419027117c0f63ca1ebaca96ae05347614f03f60c98701f81924d1700bda3cf

SHA512
5cd90ab540313862f0cbec7b64d7347ca9a7d6ade88bc91f1ee7c1e5b461ebc3297f2ade5840366c5ddd697c393669ec708f24e558256b54e30750f88f832534

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
c7e900fbaf7319f11d1c097ca4205acd

SHA1
a4d1bae72da67647a4ddbac8125f70dd052ff581

SHA256
a1024e47f6b9d3c45655cc4ccabb3ba0090df8c27be9e56f0a25713ee0254a63

SHA512
e3c2aa120d085fa0d2cb0f9d065907295a2abc89b53871a387fd9ad0ccd57822c90eb6fbf0eb647c62db43fbc255d415ea0769630a6fa9d0ca38aabab963f1a5

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
7c2c6fb0ea9e89f71ecf0adbe0758683

SHA1
ce092bafeeb015ae57a694a34a4f3bc7072fdf7c

SHA256
b241fa2dd3338c5a1d01796e659d32c08abb043b396f2e7ad954fa7bcfd25131

SHA512
4eac2d4f6a0c8a22aa4f6341f0fe66f84997c069d2ea83cc77c015fa0b4a030721ace257e2af97565ba72c4fbf3fe50c52f0c821734d603a5292a148035b4d26

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
394d4d44d991f69d3807be7a921f3a75

SHA1
a475b71b54c9dc835b0fd90dc05be5d8a9b7ba58

SHA256
79ecf1c68dc72fff1a9f47dbb855952370c5d060bcda328716f5ca1a87153e97

SHA512
d623f896634da4e03f62b34003e1941dfa29768a718ce544ab5feab1edcaa34203cfa50dd840828d0e96f479c5564d34e0ffdf2987d26ce069f1aa8f90b75c4f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c3e8ab27403b87297d882850905d5a69

SHA1
8df40f568734a8840a32ec9604f9fc10ff0d22c4

SHA256
5425f60f8e5892079f60994526b0dc672cda2d0cef30a3e52d51fd5c21a646c6

SHA512
e1cd65bd5a74337a0e03cfcf31497fe53be67ffd959b6be68e685baccdc09fe991d2fbc8f8b4af5122de8545cf68aed22ec5c3a449b085b27623b4448a0d3fec

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
b69f96f45e21c5b398e1005800a4f478

SHA1
8a3039524e7b4104ba7336fb3f5eeb04b8581924

SHA256
69f0044137ba5354aa109c7faf05df639d940d1f2633b62af3f366ee1c41357b

SHA512
e0b46a70fc0ee4288b857229e1a04625c830386fac9ed86d8b67276d3e1ffb90027b3630707a152450d41ca42cd84007385812978c8a88140591d008131c5e8f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
41a86dadde8c1966bcd260ff18b1fa1d

SHA1
42f88c68117d7777566736354db8b66827497605

SHA256
fbe05b042954fc84ffcd8b3ef654971aa6d813398548908489ee32f4eb4b58a0

SHA512
895885e9ce40e310eb3d8a86433fb10e28bee7d3e09e72441bb852741d3a1c136a8f5f9fb36224381eb2ba3dce23cc4b1af83f8907bab73e36a8b53413eaab58

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
440112092893b01f78caecd30d754c2c

SHA1
f91512acaa9b371b541b1d6cd789dff5f6501dd3

SHA256
fdf37f8111f0fabb5be766202a1a0b5a294818c4c448af0fec9003242123e3e6

SHA512
194c7b90414a57eb8f5ba0fc504e585ab26b2830ed0aae29cf126d5a6c4888d508c22984aeedec651c8644fb1f874fa558b2090488516b33165fe7985d2815ea

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
92f7851669b5536a2dccd972970ef2b6

SHA1
716bdc7c0337fe69e6f17ab4cb4f7a5bafb17c45

SHA256
b85071e4f81d374d22443a45eb4402b998db46af9ccdf15de498db087820e156

SHA512
ec149571414728f5a98794bf304f57825bfe2466425a88d829a19b3797ef72c89ca867e6bd6047d468821322d553020e48501c16a2dd33090ec11992d35e12ec

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
1c793d4861339059abe7d52e1fb171f1

SHA1
afe28282b9cae35f858a920083ae6dbf1ecdf030

SHA256
050728d9e16d35d517989c526921d3a77fc040d137ca3dcdd0223aee7356fac6

SHA512
8d8b3305ca42bdcde4ab0c1a0b80d3f26c9c02c6aabb8af5cad1ee99f6fb670d0a9d48ac0b3ceec6fdaaf1362d5de7b456cb0e9cda477b34f4844d752312ac6f

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
7402a052cd772a70490e07fa97ded61b

SHA1
b44c17583c54808a18a9d645f0223ad7fe35d787

SHA256
a9ed34c8e43902692690e7be419ac0f2a56f159d8d1cd7004f68eba8ae00aacb

SHA512
bf10d50945bf33a4fcfda0d7e2c71b64b3883631a41bcca340b0677b86e3460d065f9d913da068ac2e279126156ea975bc1b41976be1888dd35989d013e504f7

Download Submit
memory/388-632-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/388-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/388-10-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/388-16-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/636-280-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/792-103-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/792-91-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/996-81-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/996-271-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/996-87-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/996-682-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1588-278-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2116-684-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2116-319-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2232-683-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2232-284-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2252-272-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2680-6-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/2680-0-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/2680-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2680-21-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/2680-29-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2848-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3512-663-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3512-30-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3512-39-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3512-38-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3548-279-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3644-318-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3664-273-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3680-72-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/3680-75-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3680-66-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/3680-456-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3696-44-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/3696-53-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/3696-52-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3732-274-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3992-320-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3992-685-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4192-283-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4528-282-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4584-276-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4712-608-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4712-277-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4852-79-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4852-56-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4852-62-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4852-74-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4852-77-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4960-275-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5320-543-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5320-686-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5452-618-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5452-558-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5604-605-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5604-687-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6068-521-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6068-629-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download