32eb94e97213e3039dd80844ab6e33db3f9c5e97ee4b4b6ea7984ebf810ba82f

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
07-06-2024 11:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
Size

4.6MB
MD5

061ca13908b24101b05ec687a9b99a69
SHA1

7d659f9f662e570253b9baa1273ac963811e0c53
SHA256

32eb94e97213e3039dd80844ab6e33db3f9c5e97ee4b4b6ea7984ebf810ba82f
SHA512

6aef7f22767368aa503fc1453576bea69800e2e4458bbb270691ec52c69e4412b346651e308f8bee1deea908c7574dbd82acf6e397a06a59e1a7369c23ec26e1
SSDEEP

49152:PndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGU:n2D8siFIIm3Gob5iEL69CEN6rV

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
1988	alg.exe
508	DiagnosticsHub.StandardCollector.Service.exe
1068	fxssvc.exe
5088	elevation_service.exe
3940	elevation_service.exe
4960	maintenanceservice.exe
2516	msdtc.exe
4536	OSE.EXE
4620	PerceptionSimulationService.exe
4364	perfhost.exe
1688	locator.exe
3544	SensorDataService.exe
4908	snmptrap.exe
2152	spectrum.exe
4652	ssh-agent.exe
2688	TieringEngineService.exe
2272	AgentService.exe
4868	vds.exe
3380	vssvc.exe
336	wbengine.exe
4428	WmiApSrv.exe
392	SearchIndexer.exe
6108	chrmstp.exe
5372	chrmstp.exe
1436	chrmstp.exe
5608	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e099a600b4b1389a.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{28C8484C-303E-4CB2-A704-E3FF47E10F7C}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000000b3621bcdb8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a6d96819cdb8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003105141bcdb8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002915651bcdb8da01	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133622329969334875"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b0d001ccdb8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c50601bcdb8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c50601bcdb8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
920	chrome.exe
920	chrome.exe
2708	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
2708	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
2708	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
2708	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
2708	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
2708	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
2708	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
2708	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
2708	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
2708	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
2708	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
2708	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
2708	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
2708	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
2708	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
2708	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
2708	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
2708	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
2708	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
2708	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
2708	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
2708	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
2708	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
2708	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
2708	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
2708	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
2708	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
2708	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
2708	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
2708	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
2708	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
2708	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
2708	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
2708	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
2708	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
508	DiagnosticsHub.StandardCollector.Service.exe
508	DiagnosticsHub.StandardCollector.Service.exe
508	DiagnosticsHub.StandardCollector.Service.exe
508	DiagnosticsHub.StandardCollector.Service.exe
508	DiagnosticsHub.StandardCollector.Service.exe
508	DiagnosticsHub.StandardCollector.Service.exe
508	DiagnosticsHub.StandardCollector.Service.exe
4400	chrome.exe
4400	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
920	chrome.exe
920	chrome.exe
920	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2312	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
Token: SeAuditPrivilege	1068	fxssvc.exe
Token: SeRestorePrivilege	2688	TieringEngineService.exe
Token: SeManageVolumePrivilege	2688	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2272	AgentService.exe
Token: SeBackupPrivilege	3380	vssvc.exe
Token: SeRestorePrivilege	3380	vssvc.exe
Token: SeAuditPrivilege	3380	vssvc.exe
Token: SeBackupPrivilege	336	wbengine.exe
Token: SeRestorePrivilege	336	wbengine.exe
Token: SeSecurityPrivilege	336	wbengine.exe
Token: 33	392	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	392	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	392	SearchIndexer.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeCreatePagefilePrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeCreatePagefilePrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeCreatePagefilePrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeCreatePagefilePrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeCreatePagefilePrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeCreatePagefilePrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeCreatePagefilePrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeCreatePagefilePrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeCreatePagefilePrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeCreatePagefilePrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeCreatePagefilePrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeCreatePagefilePrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe
Token: SeCreatePagefilePrivilege	920	chrome.exe
Token: SeShutdownPrivilege	920	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
920	chrome.exe
920	chrome.exe
920	chrome.exe
1436	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2708	2312	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe	83
PID 2312 wrote to memory of 2708	2312	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe	83
PID 2312 wrote to memory of 920	2312	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe	84
PID 2312 wrote to memory of 920	2312	2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe	84
PID 920 wrote to memory of 3492	920	chrome.exe	85
PID 920 wrote to memory of 3492	920	chrome.exe	85
PID 392 wrote to memory of 4852	392	SearchIndexer.exe	112
PID 392 wrote to memory of 4852	392	SearchIndexer.exe	112
PID 392 wrote to memory of 4728	392	SearchIndexer.exe	113
PID 392 wrote to memory of 4728	392	SearchIndexer.exe	113
PID 920 wrote to memory of 4956	920	chrome.exe	114
PID 920 wrote to memory of 4956	920	chrome.exe	114
PID 920 wrote to memory of 4956	920	chrome.exe	114
PID 920 wrote to memory of 4956	920	chrome.exe	114
PID 920 wrote to memory of 4956	920	chrome.exe	114
PID 920 wrote to memory of 4956	920	chrome.exe	114
PID 920 wrote to memory of 4956	920	chrome.exe	114
PID 920 wrote to memory of 4956	920	chrome.exe	114
PID 920 wrote to memory of 4956	920	chrome.exe	114
PID 920 wrote to memory of 4956	920	chrome.exe	114
PID 920 wrote to memory of 4956	920	chrome.exe	114
PID 920 wrote to memory of 4956	920	chrome.exe	114
PID 920 wrote to memory of 4956	920	chrome.exe	114
PID 920 wrote to memory of 4956	920	chrome.exe	114
PID 920 wrote to memory of 4956	920	chrome.exe	114
PID 920 wrote to memory of 4956	920	chrome.exe	114
PID 920 wrote to memory of 4956	920	chrome.exe	114
PID 920 wrote to memory of 4956	920	chrome.exe	114
PID 920 wrote to memory of 4956	920	chrome.exe	114
PID 920 wrote to memory of 4956	920	chrome.exe	114
PID 920 wrote to memory of 4956	920	chrome.exe	114
PID 920 wrote to memory of 4956	920	chrome.exe	114
PID 920 wrote to memory of 4956	920	chrome.exe	114
PID 920 wrote to memory of 4956	920	chrome.exe	114
PID 920 wrote to memory of 4956	920	chrome.exe	114
PID 920 wrote to memory of 4956	920	chrome.exe	114
PID 920 wrote to memory of 4956	920	chrome.exe	114
PID 920 wrote to memory of 4956	920	chrome.exe	114
PID 920 wrote to memory of 4956	920	chrome.exe	114
PID 920 wrote to memory of 4956	920	chrome.exe	114
PID 920 wrote to memory of 4956	920	chrome.exe	114
PID 920 wrote to memory of 4588	920	chrome.exe	115
PID 920 wrote to memory of 4588	920	chrome.exe	115
PID 920 wrote to memory of 3496	920	chrome.exe	116
PID 920 wrote to memory of 3496	920	chrome.exe	116
PID 920 wrote to memory of 3496	920	chrome.exe	116
PID 920 wrote to memory of 3496	920	chrome.exe	116
PID 920 wrote to memory of 3496	920	chrome.exe	116
PID 920 wrote to memory of 3496	920	chrome.exe	116
PID 920 wrote to memory of 3496	920	chrome.exe	116
PID 920 wrote to memory of 3496	920	chrome.exe	116
PID 920 wrote to memory of 3496	920	chrome.exe	116
PID 920 wrote to memory of 3496	920	chrome.exe	116
PID 920 wrote to memory of 3496	920	chrome.exe	116
PID 920 wrote to memory of 3496	920	chrome.exe	116
PID 920 wrote to memory of 3496	920	chrome.exe	116
PID 920 wrote to memory of 3496	920	chrome.exe	116
PID 920 wrote to memory of 3496	920	chrome.exe	116
PID 920 wrote to memory of 3496	920	chrome.exe	116
PID 920 wrote to memory of 3496	920	chrome.exe	116
PID 920 wrote to memory of 3496	920	chrome.exe	116
PID 920 wrote to memory of 3496	920	chrome.exe	116
PID 920 wrote to memory of 3496	920	chrome.exe	116
PID 920 wrote to memory of 3496	920	chrome.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\AppData\Local\Temp\2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-07_061ca13908b24101b05ec687a9b99a69_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2cc,0x2d0,0x2dc,0x2d8,0x2e0,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:920
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcca3cab58,0x7ffcca3cab68,0x7ffcca3cab78
    3⤵
    PID:3492
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1908,i,13544612774658250441,9835188107983231872,131072 /prefetch:2
    3⤵
    PID:4956
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1908,i,13544612774658250441,9835188107983231872,131072 /prefetch:8
    3⤵
    PID:4588
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2236 --field-trial-handle=1908,i,13544612774658250441,9835188107983231872,131072 /prefetch:8
    3⤵
    PID:3496
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=1908,i,13544612774658250441,9835188107983231872,131072 /prefetch:1
    3⤵
    PID:4632
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3012 --field-trial-handle=1908,i,13544612774658250441,9835188107983231872,131072 /prefetch:1
    3⤵
    PID:4872
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3948 --field-trial-handle=1908,i,13544612774658250441,9835188107983231872,131072 /prefetch:1
    3⤵
    PID:5168
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4432 --field-trial-handle=1908,i,13544612774658250441,9835188107983231872,131072 /prefetch:8
    3⤵
    PID:5316
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4572 --field-trial-handle=1908,i,13544612774658250441,9835188107983231872,131072 /prefetch:8
    3⤵
    PID:5324
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4880 --field-trial-handle=1908,i,13544612774658250441,9835188107983231872,131072 /prefetch:8
    3⤵
    PID:5928
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 --field-trial-handle=1908,i,13544612774658250441,9835188107983231872,131072 /prefetch:8
    3⤵
    PID:5988
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:6108
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x294,0x298,0x29c,0x270,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5372
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:1436
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5608
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 --field-trial-handle=1908,i,13544612774658250441,9835188107983231872,131072 /prefetch:8
    3⤵
    PID:4424
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1816 --field-trial-handle=1908,i,13544612774658250441,9835188107983231872,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4400

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1988

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:508

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4132

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5088

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3940

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4960

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2516

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4536

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4620

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4364

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1688

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3544

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4908

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2152

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1612

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4868

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3380

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:336

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4428

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:392
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4852
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
aefcfd5128e49c2712943c71486f3ba5

SHA1
9c870e04cc46624173dc48be49fc55bce39225b1

SHA256
68afdc4d4d71d99e98d327f64b78a22db1a4bfa9d10f1fb6d1b191ca90539856

SHA512
a7d169ee36983cf06fb5def787113e9717bce5c078bc58d7517def368e0824145cdf5a31bd2ba1e413d610917a54cc1a692f8d0427be7c2a3b94d8d8fea51a7a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
6dbc40805af472ecb330ff17f09387e3

SHA1
34f0c2500de550d9e16b743aa49aa67fe402bd0f

SHA256
35df8d87f8801fbc3ba1f43641520d768d6fb57c46ed1aec5c6bb6d5ebad28b3

SHA512
a028c4c8528c1dfc4711c7fbc451f86efe56154fd763e7a500780361d4987a968f7c8f43d2774a5d4f80d2fe98b76f621900cfd475514fb0fe32bb939c5b37ba

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
b3d882b64c235df15a8a014a2c462e18

SHA1
3afbaa6805aae2399388db034f0816540c2b35ed

SHA256
a1b90a1a9b2a4215c9ce4d1b6955db1357cd04cf27c19b72c497d72808eacdb5

SHA512
a4077306c5d1446adb7c1c076fa9667f693197230bde848f70947dc5a8acb9ded838272b11b58683ae10ef0e6c32e0cb9ff7ec8b46c74566ae06ec96ed0be84e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
bdcbdcab400f8f53bd6e945b2d0db0f5

SHA1
bfeef22a67432d2d91dfca87b51bf7c14b2da9f5

SHA256
d9e82de3136409b51f8cae360a9581579785d1677444d7b37b8d58530aeca7c9

SHA512
15f9088751ce2e7a3663e3f7cff95a832e44ec0ecd6dad3d778c638b7f9a8af0c354eb102193f44a08d0227e4581351d1de8718b7c60ded68ff4a62a9a70a681

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b9b88a38077c5573851bf1c510d96417

SHA1
092bc6101e90a2e2cb9e7514a73b07880c8f68ab

SHA256
01acdc58ab5d5455ef57065fd4f5aaf5c145a0da5eea203f7a3b183a30ee0da2

SHA512
8848b8776ad36fb0ce1efb48c807c0be34a3bc19878c59b56140aa87353d304fb20dfe109f12956f2e9a38f735c345d6e8d202dd4a7b529f893fe3daa31a497c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
20f24fb5fb0d3e4b12f8f586cbaa281e

SHA1
98afde3cf7e4654d49bc9993b05850287325d76c

SHA256
c4b5ef6a7e4d93785e789a4da4d4ead5485485fa5dd3edc32c8427a8046e855e

SHA512
94062fb094f5b2e67ada969b50cacf63d2bccdf1db70a5824059b3427596d002592125de24c5799db009e983677d43ce8c2625cba27d095d0f5e482d25b10ee7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
bca5f3cb3af377e0f55751a056db67c1

SHA1
ff85abf040ad6463029b9a70fd7c90a95868e8b0

SHA256
664dc6cbebb026e8d800bd0b9d7be9b033cd4a9ab20b95881b1378c22e7f787d

SHA512
64b06ce5a5f7a5b6e73e376d0db4b5989f9f2648f6420764e7c224addb0507d7632271ff3c8f5a9aa403e2e3971704378fd91c512961996e2af9a43ff61ae2d4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d6f542fe6e6dd3aa2421414be354d9bb

SHA1
b347a0e0b24df9f549b1748e45ba52241ff396b8

SHA256
185d43b2daf086f184ae4e7a3bef0a7fbcdaf8e128abb8c2a95471f2d12312ff

SHA512
bf470c54be56bb924a638a4eca41a6cd17250bfc5a6545cf8758939bbbc19ea3098625114a034ae0ca28b5d15769f80a33b036c16f3c868cb44b303578a4f432

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
bc3f3b2c567cf40a253bd4c9cbd25f48

SHA1
66b83d6920484bf6fce2ab8ade3359622770206f

SHA256
3263f7876790105530ff8eca7c4e87bee5e90a2eea0920b0c2bec5e062802a8a

SHA512
408a0b44396a8227274f1c2ef4eb056a968d077987724e1a07f985c035d3365ebdc32f7de517c2665c23dafa435c76df50bf56fa0701a57263cb5197c21ee3cb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
2357fb9171cb37ee5145855d635ed257

SHA1
e57a73d9a71b3305c3ff96d2bc8fd979c0419f46

SHA256
ee1707dfbcdc482d44044513836d8a95615c379ba242403f9835bfa72829eb96

SHA512
bf189a3abb88018e58137cc6592c35608a7ecb9e993a15f4848aea4d713c71fbaf7c50dd5b9663960e8b2915d55283b9c14e779c039a6f8431b3a4987f594463

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
6e9a7f899fbd9bb128261938e74de7a2

SHA1
c9950f2a7c7bc6c2f4c6066f5b11e09211b97c66

SHA256
b711e6cf96766f56c0f68fe52bbc0795347be30568452f343bf86210d5a8c2af

SHA512
57c871343d3f0cd6c10f2b0b71d3f4fbbd30dd7c044c59ba9b90477f612987186a1f04becd5c6666f4a7af364bebf4ecdf5632477dd04f574e2669843a44fcbb

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
4b3f5050362529e2dd8aaba0893a2ac6

SHA1
3bf0a555a956791ce66f423b0bde50a3ff4066bf

SHA256
d1c12a33f9aab07e3565fdfda7a48b80e4c1c09abcfcbf07614e822c464d470d

SHA512
f9a5e428037873d25ee47cc714126de91acaab3b1cbe9d46734d4375fa757d47eacae7d73e2fb01ba8ef8cdffb456cd2f533b93f4c0f73355b261e09eb672eb5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
dc53b677167cf8e872f7780daae0d946

SHA1
3d6af0bf3dfe6476a1ee1e9931d1f71c8bfeb396

SHA256
a3dc4ee339eace1107e54e6ef1956497c00abee76373f54703cb0eb71c048546

SHA512
a434bbd260cc17bfaa1d792c6e0b913a7e09e06f2d60398fe39c7f848cfe983c279da7f8d182d6e97ed1cf31147921e9dfa3145712349ed0b68d83b9ea0af05a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
58eb98ea95e4d40cc8502f0ac28c8759

SHA1
bc91068ac1e96b74c21ace20714bce14235fcc5b

SHA256
66c228e13d028e5abe9402a208e8e110c35e92396deebfcdf8c5aa1a2529a694

SHA512
40468ba25f045da3ab7999daa689c5f36c40021be0ddc6b87fe65a8456d2a36ee1c9954982c8942c8e536a7c326a205f27818f7e8915c53998e482813b0f8ee3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
3281cca70b3ed76cb743f4aeb6176a32

SHA1
2a4220e99182f7cb0f7e6de5c4a121c01df4f2b6

SHA256
71a340766ffb4eaa063d8e659ec94a33fc7a42fe99d598a226fb2148d92a03e3

SHA512
f46c1d11d60794c7053965e9b91d845d9391fe7285b7975c95887f56b1a6be616a1987b8887f21c0e8e1dd3cabae670f977aeb395e22bcb3a471c557c207c307

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
b16cc0da61ff9748319107531e00c124

SHA1
ccbc4b64ebd19471ca99ebd3efe9bee6135bf62c

SHA256
419fb253dbbc14fd75be57e13f3f3a2749a9e35d1ac75033b1541cc13b08f281

SHA512
6e4d2569ef5ea036a49d3f83686b79818e5f2ba28d69978e5c11fba89fa4396c8cd1ffdf6f5fc468ce9adbcabaa481eca024cbf37c9b731a6df4ce0895f80216

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\f6d01814-2ec5-4f00-8af9-a27c6c19861f.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
7ff32a70518ac2d7b06c3037995f4069

SHA1
59165e669ea51397b9e84c14fc730af655455074

SHA256
c115fece949110e693f11e6c1023f49c07e2b3c29ab387c78aa6b7c147351208

SHA512
e6487600e7a61562c2920d9495d5ad2e29a93b31b6a3028baabed29566d3cc85e5902bdeadbf3e979beb0cfc4e00de2b85a9283b39203a13ef492f266ce507e6

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
ccfc612f4b17e39ee4e9de0a062d90e5

SHA1
6f00f25fbee524f58db03c0bab9819b2be3b8507

SHA256
d88f2b19b44e6fc5bd10990d4a7e5105d702334bb8dc23a6f6e0aa9fa8bc084f

SHA512
71c70ccb544cf0afb14405528480f0c8f23e97aa6f7334778f0ea49b781898b91436a9d0a9fc603cb4d9bd051a9dc9b37c523a04cd72a1efb9bbfafdce6f81b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
2cd879c3b1b25f881f4b7ab71b67a095

SHA1
e8c477526bb5bdddd659fdd44606060d83e703ad

SHA256
d15ec0b42a1305238584533da0ddd5ec2959a76896cabc74599185af8af9e92a

SHA512
95c25065ecb23b375e233d554beb9c5fb61d877f6b5586155d5b5931d270cedfd4508a8fde3dfee5073af2215b256d7cffde9f77923d41909d4168d9bc61123a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f174adb037f46d4ae42eabc049ad4410

SHA1
0d40519b2eb0e32b42fba71af0c787f8dc78f912

SHA256
81a8bf2922c26f52488f70508a2aeaadcba03d5f3845ee53c16fd1da5634f6c1

SHA512
9ac20b2228acfa26d048e4a252645825151a13551723c29b923f29cfdcb09878a74a808a628b2acc77fa06af255e7001626d72ae93ea930f269baba3b5bfb6cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
b14b0c8131f55feba5c6377a1dbdb9e9

SHA1
8d75f5c7857d079ad44bc7c469bb3f7c32087c86

SHA256
3936a3557ad713dec25318d59d91a0f950947be963d4c82e9ae23f4e5e1d62a9

SHA512
c60d1e42af8784cb770a3b0f979df37ace52e0a2cdc4ad5eb4674597580b6dc39d3cf59c36f1a614d549e77baf49388a6fe6abf083f0ac29d80bf20a2421627e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
10f918ed54c7fdd616c7da44c4debf1c

SHA1
b4fa6c8f740c3e42f20157517dc1042f63c9fe78

SHA256
47f50e130a33e434c5ac09db0e8d581e2a09acc3befdee6599a86b0061548976

SHA512
40e43486d6417b681c77f8e8f7ba6738fb3eb8d7a10646c3b8a6cd2e7be59a0eccbdec19047eb3ec1b40cf96516b4977b54301f95268615084bf3731e05ad1ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5786c4.TMP

Filesize
2KB

MD5
1f497c78bb1cefe5fae1f2d3e5c467dc

SHA1
12ec3f79d43fc239252d3812f8f0c2edc492bc51

SHA256
e7fedf1f3f9f65c94434b56a0a6b0be4a9773cb80c1fe09b6391adaec9849dbc

SHA512
f7ce6b59abe22c099ba4ded438dae24ad228fad07f742fe053c580f2c052a91d5af99bc7616681f0f377f8b5bbbe7ae2defab99203bd1af816724a1e63b62e92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
4738f810fcbb4dc93500bb4200e378ea

SHA1
e66792890d799b54a6c1b5913b9c88f54d212ec6

SHA256
a1c48983880d699ea39924cf2fd75c832b38115123c8ae10dcd91f9b4517dba2

SHA512
d00ee65dcbb23b6c75206fc0bf169c0d89a07110c7d6652df1611226cc53913f9726a617155eb5ee1830c983428dfbb658ee0eaaaa273c1332907fb664c6a735

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
263KB

MD5
359a3f2dc1bb5767bcaf3b92c0be6676

SHA1
4b9d06ffc737cc744ac3c707e33d54c1ba04f5ad

SHA256
b666d8e41d15c91d2cd36574ee47ea44df938ebc022e3c07770364ca4b2bd74c

SHA512
d2e88350b5efe352ab96a3f30663854c69fb97dd68838490b478502b3c0bf20470fa256ea51293876d72cf1bf2067af64e8a781a6cdb14c41c8ce6cef9d96588

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
d7f05666f2e553606fd8754b85619d45

SHA1
3f8aab347e1026093da534e138566a037c913bc5

SHA256
68aea97275fe08e25e68c8fb38038aec1a54309c35e1f3e7b1f54bb7de2049ba

SHA512
54184c0be0559ea0e7db431c2fa5f4ecd71c64ee4e36ebc98bf5729d31c02c6c933019809fb20db0fd4966c6aa95422c5a0caed7f99da060741c3a8cd5401569

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
9655289092a4914c6d5a07da93028f39

SHA1
58bf98e19a21b2a789ae2415e5481201752e8371

SHA256
03a5350b9facaab4f3cd150e97bd22d4f3b3a8f6b4987964a0d25b3a9f86801b

SHA512
b9c31431837452b3099de687aa00e946a6914189f8c2a3c46efd2f85ae80da378472f3c10342420a74d75262536caf817485c43583196bacd76d03b41bc2598b

Download Submit
C:\Users\Admin\AppData\Roaming\e099a600b4b1389a.bin

Filesize
12KB

MD5
8c692b8981691d88eeb5cc0fdc0c81ef

SHA1
3f45f3e92f6c204c5b44de5407af84956974f2c5

SHA256
b16121f46589cae17590862afbed7e6bf3ea0636ff258b462ff426f1874da1e9

SHA512
68434cb3fad3d0cd198084735efa081e4e1635abdc5366fb04ee6f9bffd3312f1fa112b13f4002303138fbf26bf2336a44ce0e6e72bd83daac2759cbba5170f1

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
ab65cb238efdcc56eff666eaa42b4dc2

SHA1
ed7e65243e0b8a46288230108ede82cb01ac150b

SHA256
0606b979c59ead5307eb400984732df83104027d4a45ad6267bf9bfdc339c5af

SHA512
a24ac7278d7a34349ccb5a82aca19cd51fbced1f27300fbb4d861e04594cdc2f52ced05491f47fa8f29eaa9996aac357b8db51fc78e044ba5a1a26f866f4b199

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
bf0aff860a470ac5d594e3b3465d7b6d

SHA1
5d59970b73893a31e146b8f2562be5e609ec997a

SHA256
a81533968caa8bfd308eb1bc63f692b5fa47a5ecd1f914d43fe4b248d37d603e

SHA512
86abec64b2983c6c2e47f6f7f6211c2eea6f0b437ad7667c4b133943d1529de24fc6c3b562e4d65ff3a6bca1b9d1307141c0bc3b9408b1583d52ea8fe55127f7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
06a8a4a4c72abb2ec298935f7b510a5d

SHA1
47f6c5ff3f5c527cd069ad20340352361802692f

SHA256
86a2a83b964d9ee99f156243849d772d704783d86ed97179d2258a51ab037b6f

SHA512
6129e9d3746091c700090afa1e6ab38b36b0492c31a658c0c4f5f2f972317a20b6c4c09fe41c0ee114a9f961fa9733d772d160e68f810dcde580fb288f317a46

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
42a459cae84573ca2f6b056ebae6e4b3

SHA1
43905b59c6a60427af0cf456d01adff7d734867a

SHA256
bb56721478f4f251f77baae8a4676b06a10a07e54a27123b48aef86eb4b4722e

SHA512
dffdab04c3c72569972d5222e52411ec8481fb9a705f6e06beae53ac75914412059c1d3ba7296276f9b519e011cfb2692af568339edb6872ea5b1c0d47c84d04

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
7751da11276d04cc52322c6b95a2476e

SHA1
83657fa58b58e251de95ba830a7049dcfeb4ea45

SHA256
3a533ceafa396c5621d4ee7bd65c486ec5845c270e36e77d9d18b45ee980bd5a

SHA512
7a839ae95a717d1acb23159091c90172e3a17a1dc20600390bebc8246a7b333a0795160590e63e313590b38a07da16746c8e9b8d92cb3db6ba0012d55085b843

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
f58877ab2ef5a9e20e01906fcd9fa314

SHA1
c4870b69de0a2bbbfeaa3757698787fb8cd3f3fb

SHA256
1a772d841f60ef8f3dfdaa552c522caa9bdb0193bf088d94eb591d27e41e15b6

SHA512
873312cd33f5e7c36892e62e118a6907f589f91d862b39c11f432475d371ce76d0fdb559e17475e85738af14a501f0d05a9f05f8d852c427203733224856f648

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
3f8adfda39ef5d101a099cc325d7ef55

SHA1
442cf33b6156cc11886c2f9665c4a2a8d560898d

SHA256
0b2907204a2cb46f59f427640735713004fd2136e267a6cfb2372094fc8a6e24

SHA512
85bee00f8b0ca5dd59f361c5e9b083c050a62d2d40a7e9c5626b8ca42d4008cdd665b0bb90c8b6591c9eb799daf12e8dc26e4cbcacdb4b79d8314289c1a06bfc

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
449a499f49cfe82ae3333228a7ee204c

SHA1
b645cbf4b8462f4c13ff859774c395b28d56eb25

SHA256
5b61378172022a4449562058e7d14e32fdbdf6c05a5753cb27024c93063e1481

SHA512
ec7f493f22b511e7393a168db4ef1067a70b611eb441766a23e15f9b7d41322554e41c2da930e9c1202bd0c5f7805cea6080095cdd749bede343e0b76bd3cb7f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5d72b307c063515ccfbcc6e08d9cda0a

SHA1
db2914cc98dd7709084ce90ebbcf6924468d934e

SHA256
1d2106c3997a550942a8860134c29a5b78a48fdc03f1b66ca21eab6c915e69b9

SHA512
d3a6cf68387096fc47428776549e484b1da41a24803454ae8d5e3db41ffbbda5fca28e7d54b4167fb20b0ea577ee138048220c9bbe4b4a0a1167079002fb0031

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
4755ee37cef20c98c808c28feb688c09

SHA1
358be0af893a0de1f9a1f001fee31a6ae1fdc9b5

SHA256
644dd4405e507f44d6a11f0f8d4ac7ea50d580f0b3aadd8044bdd73e2a23a026

SHA512
ad8cf9dbae0e3cfbc43c9f00ef8af1717a741ea3d28cb09014da32854405e50065e5306fe8c518e48bf9dff8a81669744f2b63ffb613a5703c152a4ef59b2306

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
4513402d5940c4252c722cbc5654dfe5

SHA1
01e588c8e360f2d321cc48f7dcf78d0e59d10668

SHA256
5be69816d3f587579c70be0c74778cc9737bec1b166d4a7024cbed337e4abb96

SHA512
fc2f24c0a27bfa9bb74cdda2bad89350dfe6acbc2b6c1e9233820869460ee7bc9d0cc37b802bef550cfae25e84c54423bca8d7fdba276b978192157e200d8c6c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
75eafeb02a381e29f4c9c684d22b7774

SHA1
9cf5f7260dcb56c6643d16c2cf8d70e3aa83ce79

SHA256
7b36d05893b669a3b7fb1337bca29f5e33e911ecb7b7a8650f0d59768ed25478

SHA512
4f92095db5c7fceed94bc804387dcc3717bee7490a67f0f07391dcc8147c75edac64f72c44d28ab2ceb31d55c8cd31126135c761c7a0bef33d258982f4a2c685

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
b8f526c9bb777cd629871457d713288c

SHA1
b91faacc1687fe95cf2bf4ed5169c1524036d59d

SHA256
41a8a64a2231d5d05b2f566cecf4d83bf54e5fb2e7fc1bad060bb6783fa052d4

SHA512
936de5c5df8ff07b006d71a3e80ba39f9e3523ff001b009ac6042ba4682e51433a6a77c126d9933671e625f0e4dee08f9ef32872a56c7956cd9e0430fc65cea6

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
2427151978f3cb8045ab795793452018

SHA1
4fd52c53ba099909d1a1bd405122f5a8850190df

SHA256
d23de06955000237223b76d999eaf906bb50124fdf405e0d630735fa521bb382

SHA512
108d57e183bed767cf41f502bfabbccbe69e7868c4e447b5b3307aa02dd535bd4e0b441747a4e44a12d5b83027930ee1eb2984d488e33356f25a8aa435e20c06

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
b34c190c5576b2284c4e89aa961b6966

SHA1
98bf2d8c7d8b002f2d5382ec0f0ee2cc43153c05

SHA256
c4a9fa220ec4533b69fc73b109235315a5da787190643853502c2d0ad3821f8c

SHA512
a47dec531f21dcd5fcbce62679ce2030661b18f21f163ccb91c1cb1b1a976774bf06a4c1ed5b82dc26f90b222b6d2fbd610712b5ca4e84f6fdf0dd20d5feae8a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f98a8eba3e7ab313787efa6ee2b89b8e

SHA1
a776ced015e538b094f76639725bcdca4b5a26e3

SHA256
b0b9fdffb2e6046ce28aa62d0e47ee84e7196831303452ab5bf83412cf084a36

SHA512
d77bc38bcc7677a9afb593b29f06b30159a6f1ceb9bfc473f6879524ea857d83d571886378ee5d54dbd5e92e23490dbb60bb0c566666ce33ca5d9e0fe92aa7a3

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
1a411da31a9511afdf78bfbf2700ddb0

SHA1
61a61dbb731d97e6cfa62301845b166ec84e7c2d

SHA256
d68afa84f68fecc2989377bb13f07b4c5db9deabfa92e4de80938f498cde9c93

SHA512
b82e90a3d9db5b596ee9b41ee21f7a231cfb1486208f4fa2da21b739f4aae3c6719ef6134aecc28680ff3a0cd534d1ab86e12f919ff6883acb07974eb68ade1a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
2b5aaf80575f26646b120f27f33bee1c

SHA1
dac6f6ff6dbd52e4256c8c79c101688a7d0326b6

SHA256
cc7c63c9cacb44a1a3059b76e939c005398e549ae187f495bd599c7124202a3c

SHA512
4e99ed8bc6f97e8e16f9de73f0a9e08cb6aeb91e972493b357d59bf19f313b620be73dadb034514326b939a65c8c328e2fd0126006c0070c1b4cfbbf3fe66751

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
b2c359ffd4bf582baf62f6e8adf87a6e

SHA1
8e9a26cf9202a00b2f38b9cf92a2cc0fa2e76b79

SHA256
ee8fad0e09119ff89b6f13fc18df351e81b41199adfc10acbfeccbbb88e02a9d

SHA512
1b1cddd7353d0e9300f1c661feda7f8d1a71e6d90279cb72c3adb51a7bce9c64e2fc87777926db50a8d41cc945445821d1b3cc1628f7446a7c03e64bcf8aff92

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
99a8fbffb9631bbb3d75291d5eb37beb

SHA1
c27a1daee4021bc0fd7d56d065ed4e4153a89e5f

SHA256
62bd29463e3de211d5d7700e7fe62660dc4e6cbd3b96733ae44256f1bcdace46

SHA512
374e7047aba10a3315bd9d3fa843b788a5fce43c3794969caf1f7a651337970f117115ac3a5c5b7c8ff0142781162912c803fabd08615c3e087160a8d981b63c

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
be2e6eadd5f435ad7b9eb0889c86524a

SHA1
049d871b417bb0513477e552190563809fb2b1ab

SHA256
de34eee588278bf40c4d572d4be3a7ffecbf22e60a94d4f21ab24322badbe52e

SHA512
b046a7b045338017fb10d295dedf729bb43b9e550c0bd0277529c7155d3783e09157b37738f021a31269a1f3a02cbd43a2dd89fc5aecd2a73790e4ad4900ce97

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
ef8fa10ac55d8011854248bac2421862

SHA1
668efcf65a4954bcd858db1d1e532040463c468f

SHA256
e369119627ad7f2d837bb403a04caa0b321244855b3e211a21f78a2d6d3b7a7b

SHA512
5a16da7a024b4eb566aa3b72398ce70079c69e600ab398a3546a0c312578974ea845830d2d8479ce1718aef481bda55035f99e4dfc987ad1a0615045985c881c

Download Submit
memory/336-227-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/392-229-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/392-692-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/508-34-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/508-43-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/508-42-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1068-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1068-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1436-482-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1436-457-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1688-219-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1988-30-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1988-513-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2152-222-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2272-153-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2312-9-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/2312-29-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/2312-0-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/2312-6-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/2516-215-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2688-224-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2708-11-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/2708-461-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/2708-20-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/2708-17-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/3380-226-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3544-496-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3544-220-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3940-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3940-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3940-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3940-688-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4364-218-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4428-691-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4428-228-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4536-90-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/4536-216-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4536-96-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/4620-102-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/4620-217-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4652-223-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4868-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4908-221-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4960-83-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4960-79-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4960-73-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4960-85-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/5088-49-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/5088-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5088-353-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5088-55-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/5372-693-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5372-447-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5608-694-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5608-472-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6108-493-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6108-423-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download