4af7685c308e40ddeeef3ff61ad9ab7ce832f0cca74215ee6fb441ffbc63813c

Analysis

max time kernel
140s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2024 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
Size

4.6MB
MD5

41bf1158bb65b9b579a2d03a55d1db90
SHA1

238f0dc7e0dd060cc99583975a4a329864e499ef
SHA256

4af7685c308e40ddeeef3ff61ad9ab7ce832f0cca74215ee6fb441ffbc63813c
SHA512

71b318bb84d9f73fa017d8efc22b43a48b6972890afd04f3b816806ef88ae6ec244c0dea055d96c40e4c0f7f4b29997d21feaf1a64445f8f7f2463592156d82a
SSDEEP

49152:HndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGs:P2D8siFIIm3Gob5iEN2XN

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
3556	alg.exe
3720	DiagnosticsHub.StandardCollector.Service.exe
1748	elevation_service.exe
3804	elevation_service.exe
3636	maintenanceservice.exe
2036	OSE.EXE
3392	chrmstp.exe
1352	chrmstp.exe
544	chrmstp.exe
4624	chrmstp.exe
5076	fxssvc.exe
2080	msdtc.exe
2420	PerceptionSimulationService.exe
3672	perfhost.exe
4852	locator.exe
1648	SensorDataService.exe
3296	snmptrap.exe
3800	spectrum.exe
3816	ssh-agent.exe
3876	TieringEngineService.exe
4116	AgentService.exe
4460	vds.exe
1440	vssvc.exe
4052	wbengine.exe
4620	WmiApSrv.exe
4944	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e9e53aa4a48edc7.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{72342474-B513-4DE5-9360-4F37AA503DB7}\chrome_installer.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133620515994973707"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fa17ccec26b7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001c97cded26b7da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005265f9ec26b7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ba8ec2ec26b7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc9b51ed26b7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c2c51aed26b7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d2dc0ec26b7da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fbf1c4ec26b7da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009053c7ec26b7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4896	chrome.exe
4896	chrome.exe
2276	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
2276	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
2276	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
2276	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
2276	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
2276	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
2276	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
2276	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
2276	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
2276	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
2276	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
2276	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
2276	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
2276	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
2276	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
2276	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
2276	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
2276	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
2276	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
2276	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
2276	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
2276	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
2276	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
2276	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
2276	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
2276	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
2276	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
2276	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
2276	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
2276	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
2276	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
2276	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
2276	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
2276	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
2276	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
5308	chrome.exe
5308	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4948	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeDebugPrivilege	3556	alg.exe
Token: SeDebugPrivilege	3556	alg.exe
Token: SeDebugPrivilege	3556	alg.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe
Token: SeShutdownPrivilege	4896	chrome.exe
Token: SeCreatePagefilePrivilege	4896	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4896	chrome.exe
4896	chrome.exe
4896	chrome.exe
544	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 2276	4948	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe	81
PID 4948 wrote to memory of 2276	4948	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe	81
PID 4948 wrote to memory of 4896	4948	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe	83
PID 4948 wrote to memory of 4896	4948	2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe	83
PID 4896 wrote to memory of 3736	4896	chrome.exe	84
PID 4896 wrote to memory of 3736	4896	chrome.exe	84
PID 4896 wrote to memory of 1524	4896	chrome.exe	90
PID 4896 wrote to memory of 1524	4896	chrome.exe	90
PID 4896 wrote to memory of 1524	4896	chrome.exe	90
PID 4896 wrote to memory of 1524	4896	chrome.exe	90
PID 4896 wrote to memory of 1524	4896	chrome.exe	90
PID 4896 wrote to memory of 1524	4896	chrome.exe	90
PID 4896 wrote to memory of 1524	4896	chrome.exe	90
PID 4896 wrote to memory of 1524	4896	chrome.exe	90
PID 4896 wrote to memory of 1524	4896	chrome.exe	90
PID 4896 wrote to memory of 1524	4896	chrome.exe	90
PID 4896 wrote to memory of 1524	4896	chrome.exe	90
PID 4896 wrote to memory of 1524	4896	chrome.exe	90
PID 4896 wrote to memory of 1524	4896	chrome.exe	90
PID 4896 wrote to memory of 1524	4896	chrome.exe	90
PID 4896 wrote to memory of 1524	4896	chrome.exe	90
PID 4896 wrote to memory of 1524	4896	chrome.exe	90
PID 4896 wrote to memory of 1524	4896	chrome.exe	90
PID 4896 wrote to memory of 1524	4896	chrome.exe	90
PID 4896 wrote to memory of 1524	4896	chrome.exe	90
PID 4896 wrote to memory of 1524	4896	chrome.exe	90
PID 4896 wrote to memory of 1524	4896	chrome.exe	90
PID 4896 wrote to memory of 1524	4896	chrome.exe	90
PID 4896 wrote to memory of 1524	4896	chrome.exe	90
PID 4896 wrote to memory of 1524	4896	chrome.exe	90
PID 4896 wrote to memory of 1524	4896	chrome.exe	90
PID 4896 wrote to memory of 1524	4896	chrome.exe	90
PID 4896 wrote to memory of 1524	4896	chrome.exe	90
PID 4896 wrote to memory of 1524	4896	chrome.exe	90
PID 4896 wrote to memory of 1524	4896	chrome.exe	90
PID 4896 wrote to memory of 1524	4896	chrome.exe	90
PID 4896 wrote to memory of 1524	4896	chrome.exe	90
PID 4896 wrote to memory of 864	4896	chrome.exe	91
PID 4896 wrote to memory of 864	4896	chrome.exe	91
PID 4896 wrote to memory of 908	4896	chrome.exe	92
PID 4896 wrote to memory of 908	4896	chrome.exe	92
PID 4896 wrote to memory of 908	4896	chrome.exe	92
PID 4896 wrote to memory of 908	4896	chrome.exe	92
PID 4896 wrote to memory of 908	4896	chrome.exe	92
PID 4896 wrote to memory of 908	4896	chrome.exe	92
PID 4896 wrote to memory of 908	4896	chrome.exe	92
PID 4896 wrote to memory of 908	4896	chrome.exe	92
PID 4896 wrote to memory of 908	4896	chrome.exe	92
PID 4896 wrote to memory of 908	4896	chrome.exe	92
PID 4896 wrote to memory of 908	4896	chrome.exe	92
PID 4896 wrote to memory of 908	4896	chrome.exe	92
PID 4896 wrote to memory of 908	4896	chrome.exe	92
PID 4896 wrote to memory of 908	4896	chrome.exe	92
PID 4896 wrote to memory of 908	4896	chrome.exe	92
PID 4896 wrote to memory of 908	4896	chrome.exe	92
PID 4896 wrote to memory of 908	4896	chrome.exe	92
PID 4896 wrote to memory of 908	4896	chrome.exe	92
PID 4896 wrote to memory of 908	4896	chrome.exe	92
PID 4896 wrote to memory of 908	4896	chrome.exe	92
PID 4896 wrote to memory of 908	4896	chrome.exe	92
PID 4896 wrote to memory of 908	4896	chrome.exe	92
PID 4896 wrote to memory of 908	4896	chrome.exe	92
PID 4896 wrote to memory of 908	4896	chrome.exe	92
PID 4896 wrote to memory of 908	4896	chrome.exe	92

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Users\Admin\AppData\Local\Temp\2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-05_41bf1158bb65b9b579a2d03a55d1db90_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2d0,0x2d4,0x2d8,0x2c4,0x2dc,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff80c84ab58,0x7ff80c84ab68,0x7ff80c84ab78
    3⤵
    PID:3736
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1920,i,11223691510992592283,15844959362106282977,131072 /prefetch:2
    3⤵
    PID:1524
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1920,i,11223691510992592283,15844959362106282977,131072 /prefetch:8
    3⤵
    PID:864
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2100 --field-trial-handle=1920,i,11223691510992592283,15844959362106282977,131072 /prefetch:8
    3⤵
    PID:908
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1920,i,11223691510992592283,15844959362106282977,131072 /prefetch:1
    3⤵
    PID:2172
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3080 --field-trial-handle=1920,i,11223691510992592283,15844959362106282977,131072 /prefetch:1
    3⤵
    PID:396
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4356 --field-trial-handle=1920,i,11223691510992592283,15844959362106282977,131072 /prefetch:1
    3⤵
    PID:3548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4540 --field-trial-handle=1920,i,11223691510992592283,15844959362106282977,131072 /prefetch:8
    3⤵
    PID:2328
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4636 --field-trial-handle=1920,i,11223691510992592283,15844959362106282977,131072 /prefetch:8
    3⤵
    PID:4908
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4892 --field-trial-handle=1920,i,11223691510992592283,15844959362106282977,131072 /prefetch:8
    3⤵
    PID:4380
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5020 --field-trial-handle=1920,i,11223691510992592283,15844959362106282977,131072 /prefetch:8
    3⤵
    PID:3124
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:3392
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:1352
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:544
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:4624
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 --field-trial-handle=1920,i,11223691510992592283,15844959362106282977,131072 /prefetch:8
    3⤵
    PID:3652
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1920,i,11223691510992592283,15844959362106282977,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5308

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3556

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3720

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1748

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3804

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3636

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3652

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5076

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2080

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2420

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3672

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4852

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1648

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3296

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3800

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5076

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3876

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
PID:4116

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4460

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
PID:1440

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
PID:4052

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4620

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
PID:4944
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5456
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d4993b48a9b300ded5ab4314382596c6

SHA1
e0cd11778684394317bf478f22ead3aabe5e0630

SHA256
9938c4a968071321bc042204453557047db4efb73c5313ab7740e002a3b50947

SHA512
fdb9b12dc8892b6de5c6ad38ef80f323cd9817cf538fafb77c8439de044338b8897ce1ed4b8fe9da2bb4fb74b3536b675ba5537ac136d7e04af502e64088dd49

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
a9cb98d8d447cdee94f6280a47ef3280

SHA1
1169a308a18e6fb4ee64e8e88e23767f684f59e4

SHA256
ff7abbee86c7faea31f9dc7cb77005a6ca19cd62c0d7ad325a5f115abc99269d

SHA512
c5568c42b1b55be2407e5375b61fe0b0f50fd053071b20891575737e0d240fb8d5bc5010600fd749c2ea2714ca0fb0692034f4caff708ed357e0c38493e23739

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
5f4f9f11fe6c8bfbfd90aa95b90c1e20

SHA1
20c3a696a7f113bb20c40b73f41291d3c6883686

SHA256
1b11eb2d9ddf927e1697b712c157f1b3c9b2ad1659eb05c2cebf261a4ec156d3

SHA512
c4327df20aa55f6f67fd313306415ed9c4ac41068309e75b4e505649d5f65f76ce231b20b186e118089a2b3264c6c18f32ea179b33b140c391ce45f9da62c369

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
59641b47015a820fcd92cf2b6524e2b1

SHA1
92f7272180abda412a14f32534a39db2164c18b2

SHA256
1eb137710167398e26671d219259a3885488f2da6867906c61ba68e040560226

SHA512
b0deb27fd6a44e307a1bdad5c56f397b5ce9388ae2469512fe974c2ce1520c0bb3b43579e4a2587dbbdd5389b23aaa9ccf011ae7bde7c8e42f5ffacecf800619

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
80f740078052f35e6cdc21962369e185

SHA1
f2fb806383062201d70178ec1c276940dfb418ae

SHA256
bf28e5cba3c99e0bf5e8e835510933bb539f3180a32f44e278ce90226ea5d2a1

SHA512
cba0327201aaec53d3c9a57be3d575e9e3e3839e6b0381f1f7a45a3ad7f50017818f13eef41d5c31f5d41fba6b0531c4d40a9037f94738d593622e58b6118f8d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
8c5e0553e0ed0abbab28fa22bcd60e36

SHA1
6826fcad92ef4e2801895ebd07b3842a12ee7fe5

SHA256
17453b3999396d813325aea6eeb6b62adfc34da784476f8ac4e71019e78afc86

SHA512
ee6c27348a7dc0623dc07dcd1eb2e56ab0cb6ff42914cb336919c4b32e3626340f11cbdbecd322d98c66c5200dedcbdfe728e8fea913877acf90b1f0b947fb25

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
6e873e2fcabf6812ef718ce7bc910596

SHA1
f2da2e552ed6e752aa8010bba3143b968edb8da7

SHA256
8fb7eb94a5ac2bdfa8f3424019b29a42106283d50335acf03a81038e12a3b1b5

SHA512
af689ea326d75f1656d2d4920323b9a6cc8ee86f8c89893e7866a7b26bc311e3cb7f849529ef3c33ce61ae268f138853cdfd824e813b1b334f7f145a23d8f909

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
842cb19d8435508b7d94307d88005de3

SHA1
2c97f259e1cb8f1886a6e7ee89f78a759cdaf210

SHA256
920a3e4338bae7648e22650051951833c272a68f962d7ddbfe7c97a55ea29e87

SHA512
6f87d29bdc30655140abf05ddcbd0eb86c912786fdda6ab87587c17f09ba793dd5f40dc913de25426936113345af604e5aa729c5f15792ed0a2e6a494ba7497e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
60c16fe1f423366c967d624f24596b5d

SHA1
f21aedae1607c050240ea0d9a80a60f4cacb7f14

SHA256
9bcabe2a76fa1d832b21e48ec6094a3458e6274cc8c92f894cc9208f47877de6

SHA512
f677458ba6b15f30bd2f2ca7b205f9a6a6f9d51ec83a8c0339213ba9e34437dff3c42013c1df4267e5d49de09b07b94afd04191770b3894632ed8719378bfc41

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
4c8c21f321eee79043d70d54cedf89d1

SHA1
ba5f22062d49c31e77cea7b9d5624ed2d4950347

SHA256
3e8ad4e8671c676996751934659289ceec60554ee00c9057632c440f565f2efc

SHA512
602b0d6717fca080f48893a1fb6afaf421c1fc5617f034b63dd9315343b46e9f432ea3a8f20bc3a55ee650e8334bed8cf5459ad3331161e1166cda0acf6dd90e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
4e661dccfd29b4eeac9b6fc092c265d1

SHA1
13ab11ad9333398e91de0814d980868718778b18

SHA256
7a46059387726add0c782f2ae81d195e64b6b9223eb4061ad4f0baae641a4625

SHA512
747eb4a51c1d5d098fb7fd810e9f9abbe0680247d48e4a30e03f522163aa446639d0dc8a54607dfc45b4a401ea5d4fe180cc067d3623de4f6792438434c115fc

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
2e06b69e4f0e4e6b99e23ac7a37e386e

SHA1
b033c8f0ae249b20ad6a79eb3b784d52b814d767

SHA256
648eab69e29cfe6ba77863e9e906b2e388539a8f5ebf0e61919a73a13f61f260

SHA512
30f9e78180ef85d55fe14674944da557523f15b3db034ff5e6173eb79ee1caa48fee65a26c9591023abda166204c660e137a6b79ddf30fe61be7c03931115203

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
4a4d8327928652f1f08fd83fbef33460

SHA1
de0088750439a57c3b5a5511c8a6b4cba8365914

SHA256
f7ab3ad162391d6af000c0d61675c393f41cd2219b37cddc511e0a857d232ab8

SHA512
585c4ef4c44a43522242a5f75f9f23ceb6a051025fa1deec76c1326c84bb3e11b2438b38757c4a5c039f49a0817dad8148197fcaa43923a7471d19808f0c0ebe

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
364ca9b23abbd5679434eaacf551bab7

SHA1
62f6f67b36a91ac5fc9a966d7208f995f8517b24

SHA256
d8b89c681768a603e0045cc870fb64b3fbec3ed13699f13cc53d385730f69af9

SHA512
8464ffeb184f5b23f2f748798b59ab2f26013b76bd89164768beaa18276a3c4526ddaf0dcafb8790015a471e638b3dbb16e7692a4558db08b48515b6c1823d36

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
948096fbbfb64003cb4edb4287e907c1

SHA1
8726f9173fa9ee0e97a244e4e51c2315d363b20a

SHA256
f319a18391569ac6f1131d27bee836f986d6662edec9776fbcfba9acbfec5dbf

SHA512
35d48b076caf5ca19ca4b90495f6b82e72aeea75da531c854b2684cb1d71c387067b0e79834cfc5d83df29a60afaefdf0e87af13867bdad1605ef636ff0f9de7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
d555eeea9b62aeb2e168d2e365d6a0d0

SHA1
cf6ae457770c7cd7d6ec4e0270384dd4220e4949

SHA256
655286553d82529417971fea9dba85375380afa287084febd2ab5e92407a365c

SHA512
df2f7199afb8c1c1d7ff5eacfc818356b3a0546c0086c0a757b8c22d1b84e64869cde34103e3fd236f2e7f8b9afa256fa0d16a6bb2b497cfdfcaec41444be6f8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
066c3dbf83ab8d604dc6740bd3dc8fe6

SHA1
29a4318295e5fce4a77979927a09bf698f7413ee

SHA256
e2d9ce0edf1cd9ef43b99fb0990f0d67086b1d3f86cd4e0f1ec5902cea1a741e

SHA512
14ee021ab5fb5b3edeae173e64a3a6cd902be636f05de5307feb90f157a37f9eec9601c5044bb0c01f2c691ceda72623cef680197c9903d1392a94c9722d95e3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
23c0bc882dc8794523828ab43df8f860

SHA1
c7db611a3229d16ae13b3a07c764f470fda20857

SHA256
15a5c97ffcea9810e5b24fce8ae5e79460a0d5119f270bcc4f0bb99c917006c6

SHA512
54e40155233c46a6ae1dd328a2ac77f4d1bd67a34c5a0025e0981d33cf2fb9da9697e220304b1a6a63f669964ea53b62af69974636a380efe83a8c2ed2456262

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
7a13af7ad238901ad091607e6f3072bd

SHA1
ca4258f1a14f75874327c3b45bc32731e3ea2b2a

SHA256
ca8018bdd4c19cee02b04bff422a3a6aa5b468d372108e63d2de36f390cb0d78

SHA512
fc21e149a588b0645a6e3c371d0605af73502fd4ec01fccb86b8d2ac3a6502f8897a5d77be09e20d16c7370bd6b0d83f75ebc6da099fca69f18589c9e3a3b09a

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\969367de-8bdd-4862-958a-511a8a788232.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
4a26e3fe3221924b4fd92f4f46b762be

SHA1
88db3b4e7b4e2c4c45aeb9d70610f8bbe7e0cb4c

SHA256
5779bf3568dfad0f864d754c56c255c0b6782ee97f48ab82174faf9dd9b8e30f

SHA512
4407c0d0a0f1200273f54d607556e446eeb02bcf843a9c11afde45759888f89f2d4bd890df2bd4f3d8aaa906d2256c6b725be27c74b03c438870de72fafd6aa8

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
da05bbf74598864ce32a2be95f4a5889

SHA1
f62b5609c4bfe6a8f4d432575455b087e81c7970

SHA256
e88f7aed7dca42493085eaa5c6a331bc12e64bcb28f802bc09402a3b2d6e2524

SHA512
af441c5001aa3fdf58a7e62b4a7a4ceb157b010efbb984d646ff9fafa13be632541b6c557e83caabf14125a46017fbd64f43142077a361836e7ade7572528845

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ead5c5b65992ef68cf2eb90edd0f8846

SHA1
e23f95767614ce9830147ec6ba7b0b5ca18a8101

SHA256
be7c1faec23a46d25250554bdeb10d8f49b4fc3176004c914f34cd0c8caa990f

SHA512
043645f254ad57e33e6968a60ad645630ca980de7555b410631fbc597bdee7402e1f4b15e7d522537f01304ca08400fd58a69609a125e7440dfa3f1bb33d1077

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
7e2329dc2a9761c9e365827ba6cfb107

SHA1
9fc3605964890c5b322a6295f1ed6f9fbc29f13c

SHA256
9b89d12c75f68453b5e9762f9d84c69c32c562f7fb75969b00ee6fc630df7363

SHA512
bf5e100e24d13891442b5a6a8a42fec1f321e9daee76b78a2a1a7fbef4f2654f4298751926307076241efa0ae7fb41bbbb05a6eba10e2a62e41ba415dd5ad379

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
7173899aff907d67a8eab3ce9cb6ce22

SHA1
50160df9fe07a8ff993351b5f2c1275aa97537df

SHA256
bd0bbe7f9ea04334e800826f56615827ce146a21cb445687c137e843dad8e42f

SHA512
a63707129587c98740ce490902d1334ac90c6d8ac12ca2a4b78c473e582d0d8d0ef747cddc56bb9a96dc1988d192715ea7cc8c003187c599486e0edb41a7c462

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
25308ba83110b756994e51b829f4be16

SHA1
7e03e659ff2a4a687ec2ee68ff9021b3bf115856

SHA256
b393b1171ea1b8322a17aa8c5c0f79ee7a9f5736f1e69365f38b1a4833d14fd9

SHA512
f214a6cb3634359948c1a5cf5ede9891e4a34a58a890dc18241eafc38cc75ad1bf2d27ad58384e0b2238da2e9c3cccbdc45621118af82bb4dcf30e2f9f8ea227

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5763da.TMP

Filesize
2KB

MD5
056cebe70ead07d8acc38f1ddd50556b

SHA1
906167b4de443ef14bb095ae8f196165c25d17e0

SHA256
bb4c89650137cd1ed35cc2299d77c4b282072dd0e43418272d06a04c82c3733b

SHA512
ba3fc43ac1e418b5c33910a18aa115755a4350b946b3a6589b77361b95f5f109973c3a072b4724ae9590f8ef2cdbe52ad0958be62d7d08ac46fd90dc3de00fe6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
6452bb67bd36f7dc5a335ae9aaedd89b

SHA1
08eaf43ac93976ac2bc51589b74d03f9cd7a870c

SHA256
83239684063387c7fd6305e5bc0522b30d1d8da3fd47a02af08b88d2b6139403

SHA512
a6d5399bf75e3247f879950f8e3e5ec4d61f403a7ab858975dd8e71d43c74af31c8f23706d7986fecb10420cd4ec3b22e6a843383be59297c4b9d8f8a27fe92a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
261KB

MD5
c2bfe8d6b8b0a2b493df03225deb1de2

SHA1
d2c56c20060861517ad159bc6408c5845a348084

SHA256
8dd267c449899d0f675c2389f651a2dbdb14c000617ca9533bcc109c4bc9a867

SHA512
62225bf16c81c821be9970ad03019ae2d96dbb5281137141ec3613ac2095b510a791fe462120006c0510f9d0a4cb553c0693ae17bb7e87e322c2eb658b3ab9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
c95f657536243740c32452ac15c9b267

SHA1
36695e36bcd8d401071a42faf6723395de4e793a

SHA256
f82d74765aed10ec8ade57754cdbcd17c6c4e19c70c9da6461b3cb39fbfc0a97

SHA512
b518fa38b181d9429f40571b66cfd593e9612ba07b7f03b750a3099f64d43e69ccbd04cf1bc8a1d84d3802be52db1984503ad48507d0780ceb664ac0fe699ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
e4486707d70a561d19bee0c56b1adfb7

SHA1
e7614068a56f85ea488214127dbe6071722bd52e

SHA256
8b0ecf8249ec7a77265b78e7efb1a245ea44a25e06b4d266f9200d024f7d8cfa

SHA512
9fd5b55605606e45b025f7f66ad54af3c666902231497ae7301ff509dbdb3899ebe8932266f134c81727e30796a57648c3d1eaf4edeefa923d85e1388dd5d30b

Download Submit
C:\Users\Admin\AppData\Roaming\e9e53aa4a48edc7.bin

Filesize
12KB

MD5
9bf5f2cefaccd11714de48ccb35f9ddc

SHA1
5e4d9c30b295599343b8e1fe9dadb27bee5c06ca

SHA256
b3358afadaca09e0f1a12a1b4ba9e406b5a26e1eca828b45efaaa7b290985686

SHA512
111d486a182d39f9c3eabfb61c0004f86bfb0b8b21f68c5bf9e0a90cdd2f52d98c7b1200cfb6ea8e9e26fe5a0e8975930c33f85f0180aab15ae4eca881112a85

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
9acfbca33146e0daed49d8c872b4ccc9

SHA1
7faba33b609f3ba79aa3e4e84c67e9b487090a99

SHA256
3f838eb9544d15f62c7ddba2a2b80c1d86603e2975d503e98da970ccb77c6dde

SHA512
be9ab4e6eb3acc522807f2b136ca0401d7b666ee2939bde35edeca6eb73c9c2eaadd400222756eb830730eda3b5ea18a84b2c8e94c2c456c557512bde0f0e5be

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
01c8ad44f49cc4418fdfdd97fe953786

SHA1
782a827e490efcd68585fe6bf71aeff768ddf5c6

SHA256
f7ce3f9b0b2a48b67ee8c1f692c28b27a17193c2f958331c8d9c261033b66ca1

SHA512
7c8725c52ec38a5bd66477fb9a841cb48c3903826ab128be11018aef88de074563b1eb4276ec9b5fbe5641f90a53a4625807e4f6ba5c29fff5e0a3524f917512

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
6ccee0a976962c4a174475b92b5c0e98

SHA1
bbeb17c6d9a004d1cc4faebcc8e4aadb0834a2bc

SHA256
2db3866ee50bd1158986428cc9076a4ad9f9789a618ee1ca813f4e1495187413

SHA512
09db642bb0eedc420d61ba6b84426514347c5e169cb531fbd91cd9ea0f95130caaf7c15df285b12fc8ebe080b1a4b50d53aad908ebe50de8f827f96b138d759b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
458fc0fae2cf2d64507cb0252c0a02e9

SHA1
83cb3f4cd2a2a45cfc570e45044f91591169e26b

SHA256
6ddb6b709d95a1c67c1b3b4d84fc832f77ea264924ca3f3a66dc40e6d408e58f

SHA512
e19159e4a5faf0a5922a40b04f75b59e69426795e946096c1943022ac1b70f6a199681ff64202fb40d48f2fbbedd8dd54239bc81a8779774af3aa392b2315a12

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
616c88e32e52b6f85f71a1f31cb839d4

SHA1
abb1de9aaf36095813e892b076a6457da64ac573

SHA256
18017c783e8036f833287702270cdf7118c5805f71112b5f33a106a86c5a4b64

SHA512
229b272fcc91e11b175d35e3404a4949a9dee261e0b3714ff517dd0cd01070510b22dfbb779790b917e8ef99cc99356a1a1027088f5403fc576653f94ab13ca5

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
f80635fa6fa9366e7202c685c79170c8

SHA1
849197c017ff7daf7b9bf07c67d28a2b1860c3cf

SHA256
1d2fd077362b2732f37f9b150444c3e5b0fa46e4a71d99275cad204ce87a58c5

SHA512
2151d87734a040de851be5745911f02013f827966643cbd59397a1d5400601c02105a1f328f134430c5fc9c093c343ef39601deecc5ad0661f3f29286fdcb1e9

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
cbbd8eac9c455dcd0b692346d80237c6

SHA1
95d4707597099ffc774889d1ba15dbf446eabaaf

SHA256
6bc77668698e031c39f3886de82bae48ddac464087e8ee8868697d18e4b5f347

SHA512
edf149b3d9dc32bc7b029660f38009503123fa5f81b59ffa0909adda0d01368025a6ee5871310cad19c4b3e8489c69106bdda5c8cebca6bf9abae4f7185e6e60

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1d585f7c50666fde92b98c6879351c5c

SHA1
7b91d52f36cccd95c1a5284b06224f075725a70c

SHA256
bfdc42b16e83d68b331658f8c4b17903da24c708e7a7514f952edb70a837b6d2

SHA512
25d65bf27a790f37ae672952295326b0f050bb02c9d50605b37ee6752e01878eb1557a466736caa89bdfe04e97db8063e9406c508ceabca11e62ae67ac4197cf

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
cb94f70ce29240561a98960a53aea2dc

SHA1
06b21e0ded7a4acc862fd03d02080257356ebed2

SHA256
dc0d5037a9bdb5d2ffbb37e2682fb7b1df63694469940cb1ec27ae4b92664b80

SHA512
5b2ae1eda2e3fbe87c733f230316bbbbbb08708d5c44a434bae594fcda91259197e2dba570bc4ff275f91fda9a5088b916fb003dcb4bc626419c0ffa84567890

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
39553cc8abac3c459bf7729432caf10f

SHA1
01016ad038d6975176db3d5ac7cd9b4d323399ef

SHA256
5ccc20646088b502389c4291a5f590cfc4bd46a93d7f45b9a436d7e7636e77ed

SHA512
0c04da0bc55b2455dbb5280ac7bb7412516dec91dc8b86f673f002e7ea18733874b01c0bbf8b74577458f961cea6f73ddfaf5f872cccc64b1338acca7715326c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
d40492b3ff7a2af84a199bc5bd07cf20

SHA1
eb53aee9a94cdc163a91dfbb2092c1bc3d4f8032

SHA256
4fbf60bf46d98a36a2ea6e0536c616df347dcb3f802e7670bf1926fa52d3cf7a

SHA512
ac3b4067f34c1f2b6476ece0cf79434bd5b402544cd8ef22c6b2be0d79654a2ded4621cd02e4f6b874d2649ca7add3389673c473bcf22085f81088b03e8d69d1

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
44bec1a25ee0dfe387299f371d609fdc

SHA1
1cd0fe9dd6db62784305715a232437730c007efe

SHA256
e470cab874dd8cea3fae88017f8e88c32763b8b2ae842bc880dd933b19260490

SHA512
5bdbc52b1da7f088ce3e4a6988a5f4ac46e522494f362136975195382849d9ef83d7e22acc70f9e27d7b57e25a39f57013e51b57a5ae0529e161e77eadfb935c

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
348d11b210693b3aa0e4ec5965dea1c3

SHA1
0630242a796684331c77de8568810f67f7911697

SHA256
5df99278fdfe58c5a1fadde360b39b816aca15bae4a8dc974cdcb1ec024f6894

SHA512
95fb36d1504b6f841ca9e794df191f2dbfc64cb6ca76e7376af54a529a504a9bde5b30e9b143028fcd6b2ef1086fefa8c166cca12b0e64e6b370dd6b11a71dce

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
3b4eb145a4eea23a59381b2094f47bc1

SHA1
956c44a7356a3ad0585e92f1369db4fc894c599e

SHA256
06f611269b8fb9b27c1c6c8171979b06436fc76b09958fd76f92ac446a5c5a77

SHA512
7fb3e3fc0377f5397a6e75c38bdac0c8ed042b4d9b534c57faad5309cba83904f3845093bd247614ba6503e9ab0ee124828758ed18c3dd1c3d026e1143a43968

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
50ab5112f28b62238cd0282bb1055ec8

SHA1
409f7bd7b86a214821630384a72665084ce62788

SHA256
05a0c719b08684468a751ac1d9552f9aee54314a086759ea79919b8313608dc1

SHA512
b7a30d91a2ccacc8b5ae2fc57496dc3e49f86e42263b3dc289d7d68b7ccf8c4310a1c3b33a26ea1fe02d15137528715abf2dfe6a4984b707ada7b181479f377c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
35a3986e07557504149250eaeb235ecd

SHA1
6fd4b06aeb4b597a3e672f753277c90b211b6103

SHA256
6814a04abc6ce55f9d92b630cf3f873be301d2de1f8fbafdfb3a7dcb2ad66f0e

SHA512
98147f2f826baa82534925add9322ffb388a40346ebecd71d2462764c089c8e390c62d5205143b27961bf969a028db3f8dd2111f54ad0569f22383f164d169ff

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
48d305a5e920c99814918d9bbcc08773

SHA1
c66b450adb95919c65503da0b36c447957ae2e81

SHA256
dd467d03df21c562aa86cdd7a59b1aa8c9d49cf8bb0e76fd8d1d4e2d0c7e17b4

SHA512
6eb2bf1075bb033cc9bf23be453badac4db6001e9d4cb456f596db3b077e1c1b353630829f2778ae3f9fe1bf29f14c3b57927e6f3483f92b6c57179271b5614d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
884a3b09010ab0b43d97ce12400a4083

SHA1
9c2c3f7259f5c0eedf3a232b565b63440d4997b7

SHA256
ddb991bead96d9f381f7f5573515ab557d6a10884ab0c89f3f4c12dba65edc05

SHA512
8f5e92ef32921271ad492d131d628e62b38b943c939828a9d1c6c5a74abc51645bf31e19880f37364f072e53b397a9dc8f7c887907cd1d6016fb17d0b1a40d87

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
295c35172675c56d85b3271fc5adbaf7

SHA1
fc8f7052aa2fdfb84e7cb6bf027db403bcb8cdf0

SHA256
f022aa4752d0400339634741871e82f3bb6e1dc719e1ffe9b3987e457c01bdc0

SHA512
15813f64afc1d8f3fb24db561e3b68c8efcdfe45dd0768d53f85b32e72352c0f22240b9f4156dfa8feb88fde664025c75d3fe6594c957aa961fc010496f8548a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e3dc3bd5a9481a52425a7123eccba6ab

SHA1
1d8a000e0119646e5f9828e76e03fea714ecf4f3

SHA256
26655b58343de9846b6f13e017c8e26fab5dd9d6b7f8ac8d490219305960cf40

SHA512
2a38d5cf48ca153971697814b764e831c7506978b1e6c7f15e55a07acd98ef2f3236bd2746ad9efe7d99e2cd7f87d51a2bc4f44aec5f05782161a4f9eeafd9b0

Download Submit
memory/544-366-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/544-352-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1352-331-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1352-415-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1440-590-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1440-876-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1648-871-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1648-626-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1648-514-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1748-62-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1748-60-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/1748-237-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1748-54-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/2036-88-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2036-104-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2080-459-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2080-577-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2276-12-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/2276-31-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/2276-343-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/2276-13-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/2420-471-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2420-589-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3296-720-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3296-526-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3392-308-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3392-377-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3556-29-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3556-25-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3556-16-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3556-365-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3636-77-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/3636-103-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3636-83-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/3672-601-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3672-485-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3720-51-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3720-43-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3720-402-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3720-42-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3800-529-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3800-867-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3804-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3804-73-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3804-102-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3804-414-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3816-868-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3816-541-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3876-552-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3876-872-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4052-877-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4052-602-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4116-571-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4116-575-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4460-586-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4460-875-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4620-878-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4620-614-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4624-416-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4624-360-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4852-495-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4852-613-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4944-879-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4944-627-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4948-6-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/4948-0-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/4948-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4948-39-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/5076-458-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5076-444-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download