9a61381fe019aba96a643099959154c16d323d07414e5b00f5945b38439fd433

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/06/2024, 18:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
Size

5.5MB
MD5

147dfe1e2ab6a8785ed12a93dbdd7fc1
SHA1

64a327089679dab01702bff017fb829983fffe9c
SHA256

9a61381fe019aba96a643099959154c16d323d07414e5b00f5945b38439fd433
SHA512

98c87456a0e9d86485a39f1fc854e47e65484ccc4d1c689ade87794698e314dd795ac7413d0f344efa72a22f8aeb2a3ec2763d20784adc6fb668c2d354672a70
SSDEEP

49152:VEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGf:JAI5pAdVJn9tbnR1VgBVmF8

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
4672	alg.exe
2676	DiagnosticsHub.StandardCollector.Service.exe
2512	fxssvc.exe
2008	elevation_service.exe
3396	elevation_service.exe
1996	maintenanceservice.exe
4504	msdtc.exe
4688	OSE.EXE
1156	PerceptionSimulationService.exe
3964	perfhost.exe
1444	locator.exe
3592	SensorDataService.exe
3416	snmptrap.exe
1668	spectrum.exe
4900	ssh-agent.exe
4308	TieringEngineService.exe
1328	AgentService.exe
1832	vds.exe
1516	vssvc.exe
4424	wbengine.exe
1440	WmiApSrv.exe
2612	SearchIndexer.exe
5588	chrmstp.exe
5704	chrmstp.exe
5784	chrmstp.exe
5432	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8a0fc0e2293b476c.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{878BCDD2-1ABC-4948-8DA1-C8645DF0F833}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\OpenExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003bf130ac97bada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133624299384222259"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d0263ac97bada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d99d9eac97bada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000074ebf5a597bada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006ea141ac97bada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000431657ac97bada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ad00eaa597bada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
1560	chrome.exe
1560	chrome.exe
2680	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
2680	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
2680	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
2680	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
2680	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
2680	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
2680	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
2680	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
2680	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
2680	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
2680	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
2680	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
2680	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
2680	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
2680	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
2680	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
2680	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
2680	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
2680	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
2680	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
2680	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
2680	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
2680	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
2680	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
2680	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
2680	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
2680	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
2680	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
2680	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
2680	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
2680	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
2680	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
2680	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
2680	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
2680	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
4952	chrome.exe
4952	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2112	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
Token: SeTakeOwnershipPrivilege	2680	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
Token: SeAuditPrivilege	2512	fxssvc.exe
Token: SeRestorePrivilege	4308	TieringEngineService.exe
Token: SeManageVolumePrivilege	4308	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1328	AgentService.exe
Token: SeBackupPrivilege	1516	vssvc.exe
Token: SeRestorePrivilege	1516	vssvc.exe
Token: SeAuditPrivilege	1516	vssvc.exe
Token: SeBackupPrivilege	4424	wbengine.exe
Token: SeRestorePrivilege	4424	wbengine.exe
Token: SeSecurityPrivilege	4424	wbengine.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: 33	2612	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2612	SearchIndexer.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeCreatePagefilePrivilege	1560	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
5784	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2680	2112	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe	82
PID 2112 wrote to memory of 2680	2112	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe	82
PID 2112 wrote to memory of 1560	2112	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe	83
PID 2112 wrote to memory of 1560	2112	2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe	83
PID 1560 wrote to memory of 732	1560	chrome.exe	84
PID 1560 wrote to memory of 732	1560	chrome.exe	84
PID 1560 wrote to memory of 3020	1560	chrome.exe	108
PID 1560 wrote to memory of 3020	1560	chrome.exe	108
PID 1560 wrote to memory of 3020	1560	chrome.exe	108
PID 1560 wrote to memory of 3020	1560	chrome.exe	108
PID 1560 wrote to memory of 3020	1560	chrome.exe	108
PID 1560 wrote to memory of 3020	1560	chrome.exe	108
PID 1560 wrote to memory of 3020	1560	chrome.exe	108
PID 1560 wrote to memory of 3020	1560	chrome.exe	108
PID 1560 wrote to memory of 3020	1560	chrome.exe	108
PID 1560 wrote to memory of 3020	1560	chrome.exe	108
PID 1560 wrote to memory of 3020	1560	chrome.exe	108
PID 1560 wrote to memory of 3020	1560	chrome.exe	108
PID 1560 wrote to memory of 3020	1560	chrome.exe	108
PID 1560 wrote to memory of 3020	1560	chrome.exe	108
PID 1560 wrote to memory of 3020	1560	chrome.exe	108
PID 1560 wrote to memory of 3020	1560	chrome.exe	108
PID 1560 wrote to memory of 3020	1560	chrome.exe	108
PID 1560 wrote to memory of 3020	1560	chrome.exe	108
PID 1560 wrote to memory of 3020	1560	chrome.exe	108
PID 1560 wrote to memory of 3020	1560	chrome.exe	108
PID 1560 wrote to memory of 3020	1560	chrome.exe	108
PID 1560 wrote to memory of 3020	1560	chrome.exe	108
PID 1560 wrote to memory of 3020	1560	chrome.exe	108
PID 1560 wrote to memory of 3020	1560	chrome.exe	108
PID 1560 wrote to memory of 3020	1560	chrome.exe	108
PID 1560 wrote to memory of 3020	1560	chrome.exe	108
PID 1560 wrote to memory of 3020	1560	chrome.exe	108
PID 1560 wrote to memory of 3020	1560	chrome.exe	108
PID 1560 wrote to memory of 3020	1560	chrome.exe	108
PID 1560 wrote to memory of 3020	1560	chrome.exe	108
PID 1560 wrote to memory of 3020	1560	chrome.exe	108
PID 1560 wrote to memory of 2296	1560	chrome.exe	110
PID 1560 wrote to memory of 2296	1560	chrome.exe	110
PID 1560 wrote to memory of 1540	1560	chrome.exe	111
PID 1560 wrote to memory of 1540	1560	chrome.exe	111
PID 1560 wrote to memory of 1540	1560	chrome.exe	111
PID 1560 wrote to memory of 1540	1560	chrome.exe	111
PID 1560 wrote to memory of 1540	1560	chrome.exe	111
PID 1560 wrote to memory of 1540	1560	chrome.exe	111
PID 1560 wrote to memory of 1540	1560	chrome.exe	111
PID 1560 wrote to memory of 1540	1560	chrome.exe	111
PID 1560 wrote to memory of 1540	1560	chrome.exe	111
PID 1560 wrote to memory of 1540	1560	chrome.exe	111
PID 1560 wrote to memory of 1540	1560	chrome.exe	111
PID 1560 wrote to memory of 1540	1560	chrome.exe	111
PID 1560 wrote to memory of 1540	1560	chrome.exe	111
PID 1560 wrote to memory of 1540	1560	chrome.exe	111
PID 1560 wrote to memory of 1540	1560	chrome.exe	111
PID 1560 wrote to memory of 1540	1560	chrome.exe	111
PID 1560 wrote to memory of 1540	1560	chrome.exe	111
PID 1560 wrote to memory of 1540	1560	chrome.exe	111
PID 1560 wrote to memory of 1540	1560	chrome.exe	111
PID 1560 wrote to memory of 1540	1560	chrome.exe	111
PID 1560 wrote to memory of 1540	1560	chrome.exe	111
PID 1560 wrote to memory of 1540	1560	chrome.exe	111
PID 1560 wrote to memory of 1540	1560	chrome.exe	111
PID 1560 wrote to memory of 1540	1560	chrome.exe	111
PID 1560 wrote to memory of 1540	1560	chrome.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-09_147dfe1e2ab6a8785ed12a93dbdd7fc1_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffc9c6ab58,0x7fffc9c6ab68,0x7fffc9c6ab78
    3⤵
    PID:732
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1892,i,1364863751247428883,5496813559000108755,131072 /prefetch:2
    3⤵
    PID:3020
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1892,i,1364863751247428883,5496813559000108755,131072 /prefetch:8
    3⤵
    PID:2296
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2252 --field-trial-handle=1892,i,1364863751247428883,5496813559000108755,131072 /prefetch:8
    3⤵
    PID:1540
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1892,i,1364863751247428883,5496813559000108755,131072 /prefetch:1
    3⤵
    PID:3540
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1892,i,1364863751247428883,5496813559000108755,131072 /prefetch:1
    3⤵
    PID:1192
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4320 --field-trial-handle=1892,i,1364863751247428883,5496813559000108755,131072 /prefetch:1
    3⤵
    PID:3980
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4460 --field-trial-handle=1892,i,1364863751247428883,5496813559000108755,131072 /prefetch:8
    3⤵
    PID:2380
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4644 --field-trial-handle=1892,i,1364863751247428883,5496813559000108755,131072 /prefetch:8
    3⤵
    PID:1800
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4712 --field-trial-handle=1892,i,1364863751247428883,5496813559000108755,131072 /prefetch:8
    3⤵
    PID:6132
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4740 --field-trial-handle=1892,i,1364863751247428883,5496813559000108755,131072 /prefetch:8
    3⤵
    PID:5236
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5588
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x2a0,0x298,0x29c,0x294,0x2a4,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5704
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5784
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5432
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 --field-trial-handle=1892,i,1364863751247428883,5496813559000108755,131072 /prefetch:8
    3⤵
    PID:5172
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 --field-trial-handle=1892,i,1364863751247428883,5496813559000108755,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4952

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4672

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2340

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2008

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3396

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1996

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4504

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4688

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1156

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3964

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1444

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3592

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3416

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1668

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4644

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4308

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1832

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1440

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2612
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6096
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b4c7e82fd9dabc044011e23bca5b3788

SHA1
546c56f671d203aedb29f67474fe0270842dfbb3

SHA256
6ca39c1dc4d323e55705d27a973c39c54fd3bfd9797a5a3369ea65ae46801e9a

SHA512
c17e1dc8050689ad0e23c9e059b9ef6a0e83cf619d5ac0a44a01e44e2dfa308b2de0ad61883adb7446eeedef65e2ba5b4f9c5238fa16d7e3eba8408a82983b0b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
1910826cff104ca9a2db33f7861f7df2

SHA1
93024d37c675d0309252b2b1d22cad365d33cfc2

SHA256
b94745db5ad420b2090f484a18226ac46618bffd6d00b2e8df8e1aea99770d77

SHA512
71f17deafe82c08e3fbb3c7a0a5289aa71cfd2abbdcefa630db73a9181ed4f1d1f5fc0694c7eafb0d3ce413f4e4f12fb738d1c7d8c5f54a79eb1b99e6f3dce45

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
4699a10dbf7a41bc705dc3c01d61dcac

SHA1
21aed0759b8ead6c1a15d3c087f981f39a257899

SHA256
d0296f3d8a269eebe3631494182e13f4c19fd2a46210b416ddd7008e789d3662

SHA512
8f802956dc61bf4afd240e3f784135c8aefb9572beeaf378ab785ba671ac92658b1ff417c6a809951ad3e3ad74d39d1b5bae85b1343dca85c571880796d646eb

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
3ff971997ec662295c536e8b89c37b0f

SHA1
6e49b3dadd13d561b3458f6add40cbeb4d50c43e

SHA256
6f499a7f8fb5219ab5240812bdf0483f21cc46d8f7755caca1878c4cc4b91c5f

SHA512
a40529764ef59133f67a195b0a40721a4470d072fc6a8865af1e01e1007f9691cb6321c952381b31023c78f2e60570cb9aba255537a71583ecfc0c03f6a30bb8

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
435b5765568728a9b452fc43ead7c932

SHA1
8bfca886279ed649b067afbc74bf007d24e17e01

SHA256
374436738ce28dd75a759389938d5009cde5597efd55b498210608bc2cfd0035

SHA512
21cfeb7e6ad5fbc70f80261112e537b5f356d0bc22c1930370a1f85b3b05d6379d9d02765018d9b56d9d6e0920d4cd6abfded839bff07dda0601c731eb021850

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
a46b17371e4e9c48ad789d352c9caa3b

SHA1
2369ec47011fafc57e72981b94c0a43b231631b5

SHA256
7b980332a3fe26d9700e8e020efad9921416c82308b945e7fe5dcf340925763c

SHA512
5373e566e59cb251eec10f119054e7530daeeecba80753de7ae7681dd8c12d2f304aa62c36fda37898c484ef57114f29da1ac53f9c0722b5a02e1290b07737ce

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
11ff8e201c52e0c6d2eb10c5da98a111

SHA1
5859b20dd874ed89e1af6c304dd65a49cf612340

SHA256
483aa1aaa03d165b143b909c84e13b992cdc9b70e32b57ca394d237fe00d2a86

SHA512
f384e1ea23d47a09a37fc130dc41808b3b26fc156238a6bbe1b310e7d0092ba664a644f0ee1b0abbc2f7321368deccb097f82bb576a43dae60f10375173f8ff6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8da01a7d6d8bffcc5e4099a7d6c1ee25

SHA1
c3b7472b659534fedc70e2297ef47ca84db003c6

SHA256
4d4e390577506ebc8d335a4ce86f065b2018cafe32d50b442aef5342ee37a291

SHA512
fd5a3f48a239e7496a83b0e2be805711e1d092bceba87b9bcb3fe232440b22f71419e2c7ba1cea5580d725cd4f94bdd0052a4c3dc784abda9936c45a3353f523

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
3e8473b4e0409ec2e68223dc18559ace

SHA1
579295a3e66d3193d17ac5c55c3d60f38dc85ef4

SHA256
313a786bd012c6a80a3e29b56a86acf97dfd5b90687cb7d920a87005f1163d0e

SHA512
2193c0a885da0bab108d1dde1479c9a2beff55459fb4a487c7a70dabb8a60d89c107552a83ca26bf2b349354fcfe16c65a626dc7b76a4e93bfe7d4cef61a2a46

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
595898b12a968eec23d308fb8ce277b2

SHA1
95dda1cc42932cb33cb5d319f4afaf428b878a73

SHA256
137c078ebdc460d009566d45e2dca6304ffcbf307aeac40cea3ab3774397cf5b

SHA512
b384f4c1a021c8c00e4dbb715e76f6ffb3d4f305a4174a680f3686df0af6cf1c2710d82a189e63c2dbd77069cded48dd9f5aa60b9842287b25cf0f6a8a0a0efd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ced220802cefb0fe856b06c182a58b01

SHA1
944681a5aeae16759b86fde71ff9f71d7ff3b522

SHA256
65c1a47c7e360f8155a7d297577cf5898b11c59742528ed703ef49474e554450

SHA512
852e2ac49ed6fb8a33369fe05436898f175795a3f3992892dc2a6bda22f380ba8b97ce5a8d77b8b1f84a717cd6ec48f3035305f2a4ad24d52e5fbff84597d85c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1d81d695a07b3e3bf9fc15f2c322c695

SHA1
e7600d3e285d36474cab9b9933410d871c831f1e

SHA256
707ecad370eaa82fc4b7def4f59a063fa6010d087b9abe51143db742408570c9

SHA512
d3a56baf33ac312abd9099890c02590336fb7559e5dae09c3a2da8dfbd0ce16de42fd4925633dad5719a4f86cb277503248dc09ce5e2607644d48c12c48e03cf

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
1edbbcfb71c2f56069cf76b6324d17a3

SHA1
9385a8fe151ca0c46220658e4c5b86cd13f8e594

SHA256
2a03a7c9a86fac5d039d0ec56eb6fc8e4579d2fbe06a031883e1f4f3267f6072

SHA512
7d8156bb0acda5959f28ff6532aced990f952c0e566c6c347f8351b9fed98d613aa29b30800c938e1171919852bf0469315830b8da118735a38acc19b8458235

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
7002928a802747214af51ba00165b22c

SHA1
e0b7f109161cc288b2bc1ef21aa3a7d4e97b1705

SHA256
ec40b8b0d63039825795a1129c2d2eb5f19b1bcb31062c79ed8234919c9ea72a

SHA512
f54cbee4d55507f0372ded9f6fbb8804566afa637eaaccf7a08e79fc9e48a95349997061ca615d07200d697be9f129cb354c2e98e81ab0a576e471e1b1220858

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
8d2608f2531714b7ba6f72a42de1b6d4

SHA1
50621037ad04830d0dd4aaa52d56ad66b991ce35

SHA256
bad4d37abcd960de423b7a735440454d4d9633bc0aeb2bfc48368372a6018e4d

SHA512
03ee0c6a209ec8d04794e8389cd5b279f65c74a9ebf7ea1b1e01c0bb3296477bb622e08c3d9a6ed8d7bc193f5f45d4239d1dddf5bce97bab9fba249f1363fbdf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
7bc0be7300797744f4eb7a7a287e6c43

SHA1
80121b1143782fc455131cdd5a9deef35d3fb686

SHA256
7ed3d9b72c098b12f6bafb8f2d82c71cc8b2a6d20ded489afd30aae6ca65298a

SHA512
1d92013cbab07741b683e8603ad3ba1bee9d8f1b91300918ba268d43a5d421ea8309601bf1485f04d1efdeda5dba5e3bd8b6ec42915a426e529662f936096962

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\060df407-3703-4afc-bd11-cf502018b42e.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
15010da0aaa1768c76fea7370990279d

SHA1
b71cd77dc0d4c190a68b0c1fc1ee1c0945ca1cfe

SHA256
bc4082ff671da8e0cbd60983510f3b5c6c7b41d1716d653ed2c048279c0e27c0

SHA512
d68dbfcce0d1036ffdf0afb3596b443b9dd2af40a21f680d6890be51784c892e3b320acccb80fda4e3c198eea3cafde2cd52e34163ea2932468987f4584bde41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
23e6ef5a90e33c22bae14f76f2684f3a

SHA1
77c72b67f257c2dde499789fd62a0dc0503f3f21

SHA256
62d7beeb501a1dcd8ce49a2f96b3346f4a7823c6f5c47dac0e6dc6e486801790

SHA512
23be0240146ba8d857fc8d37d77eb722066065877d1f698f0d3e185fcdae3daf9e1b2580a1db839c1356a45b599996d5acc83fda2af36840d3a8748684df5122

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f83bad19275fd2498609f54c7bc3e5d9

SHA1
59be8bf5f7b065bad95773415cd467a83f3dcf6a

SHA256
778f1be6bb25fa33d47520082a42a4dac33bd746a7916080655b2f982a1c1cce

SHA512
3b2761f6f9e1bdc242d771ad627fc3647a4d1288bf81fc8936ef21c985ec9bc52c8cd0b0c10ba59b9c5a82e68ba7aa2a7c1d1bc6222cd9111fa48cdd18d21b8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
a16201bb09fd2007b470c1ea20a6fd6b

SHA1
26cca02920dd5a8f92f079533acf620fec05709c

SHA256
6d3cf2a823e73edda9650a766db5cc8b3876affbc9053eb5b75538f21105b663

SHA512
c8c35fb7137124a6b2aa8f92e8f849fedf066bdc832e77cd741f81459c6a2238fce7d0513fcce347a6eb2bbea76cf936ad5c15ea6e8ca42420a2f678cf61cb03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
2628144ab15c17f3e895cc2726240d1f

SHA1
557420301f0d4ac7d71757e2ca459b00a7ed4584

SHA256
cfaee0ac777563a21dd7d78b9d9a5d5f1b52da8e493a8f0777aa9029b9e4c2b5

SHA512
16c1515f5004174f08280db9debd9b13efb0cecc2bc2e400ce2938e39a1c41622ae4f2f2b89fba78128f6e2aa9e7408e48044885f00279cd2b889ccbba254927

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe578a5e.TMP

Filesize
2KB

MD5
8441fa327ce1f6c12f371a1535e655be

SHA1
7ccca62179f1eb9a2d47c3886ad8ad4bf5b15071

SHA256
975c8308bab1dce91143c9ad18effdd216bc367fccb3195ec2d4fd50177d2158

SHA512
986088d4595dc5a9e166ecc0b439a878a24d512f236b2756e377050c0cc7423143d3aaa3033ba5163b28fe8551313ff985d6df2ab109117186e878ca4a98d0a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
5a3bc555cb6795a5d0096f726f14b2e4

SHA1
ad9f9a76b72e6b63ccd2eddd20c71fd4baa6d10c

SHA256
b77df46db6a2adcca07fb74ed85acba2493201b3da1c8bad34b1882a63386e55

SHA512
c42708e972897c647d7caba7d2be0e421dd04df8e4a130048f8f4379119a81229df4bf5d7e7f8e114826b0fed7d960f0e805e3c10f93aed49633cd2fc0282fee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
263KB

MD5
3ad138d53cfc0a59af463c9c28617da4

SHA1
96ddd12ea1694ad20ea20562f5cc68e08d235e4b

SHA256
a795fa2f58e2c8bc74d6e1d16b50924fb60a060e46b0eff84fbf253172867624

SHA512
ba001318ec4e43fd83efc1f073ebe5795b677d0db31efbc8a97cc913e1065cb74bcac57ab503362b58a939877ff8664cde9aaca0e530f39e4a4bd2c4a55b3ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
9c9df8a6562ef9cfafd417936ccc7d1d

SHA1
4071f1de72943adcfed320847b6bc0cc912086e9

SHA256
22962db9194968b8d9528db54b05e6ea7c033478075046c21abb2f8c87dcf6fb

SHA512
f54fe4cd5151fc3267ec0a8ee00ecc101ad9aaa98286e8e9c89e877f1fb5ab069dc142eda4a1e9dacee110afba4c2ddef1d96e04c59e61be092e6dfaa40e70a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
457db6330b3734ad9de8be6cde49a321

SHA1
ab4900c4b9bbb615f6626d4f5c5275fda094002f

SHA256
c3e6dc485c81f45670a6ba3b2575ce0f493ab894a9ac403d6b4902dd854aee11

SHA512
d79295a36b2eaad3d3f18e3319020f67b30d3699ee9003199e596febaf0e1cfba3eef8549096bf30fc74299f137e459e4fb2d27305d47e72af6479ff9397c052

Download Submit
C:\Users\Admin\AppData\Roaming\8a0fc0e2293b476c.bin

Filesize
12KB

MD5
6bd98384e352113795cbc7545bd5bb3b

SHA1
22f5ab79451f6c07c79112096e239ffe167f6ce3

SHA256
bf4cd5e095a2c8f3ae9114aeb9c04ce8a586488ccf0028b67a572126bf3c7d27

SHA512
2fd9c49ae88a7265880f92975c44e4554965d07e85f035675e80e263caf6511812c8b39d32fbd0b51647841f6a41e466399f506c9659233187d0ec70030be2cf

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
0a2294bdd8d2acb3a0e03d6b25e98448

SHA1
8eed16e76628beda82a4021f3f6ab41cf8a844c6

SHA256
792d6f4310a980f9522f8093b35397e280e27463ad36b7756faeb04ea5370db2

SHA512
c7395a0947038b38a7dcfe09105adc91b0b698a07596167b897b6b7d620e6257afc51ff4d4358f82210270550656242b48e83a63a1bf2688d00adb8c966bcb01

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
63e1c35f3be0ff10e9d2e5ff4877a723

SHA1
9da303387899a2acfb401f10a4e05b1b1f06a255

SHA256
121108be70bd43e34f25e3878f338dfa0a720e4f120d2e52a6be03469c886a3f

SHA512
e193367944305aeae20b3130a449d4a182700a7c4608308f0877f7ef9c63ad0f51299c1fa450972929fa2a76cc659b57fb32643b2bac91ce3e3a76f24b4793a3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
9ca7424856f8969b042ad31a22da0d33

SHA1
a346f9500a200a0d980da7b9dd504159ad3dac49

SHA256
36d32308e90f8e25ed21ca5e4d95076cc29a92ac8e49e60fd2166e5b229da867

SHA512
b68e5645dc9d2b817df7ce96bd5e1f96c2782a3e0dfef01c1aa2d12893056e9cdca0b35e967fbcef5583288d466b8cdfc3d822494fd2441c4b09ce3f5863c3f7

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
cf6353038622639e524a68faf495a637

SHA1
fdd4e9a095f0fbb90f0c31754d9007c31f7f8cff

SHA256
98833dacf9c8033827fdbfc215b03b72d1f8758f08fce848e2cacbc3f12dfb0c

SHA512
ea716a5e7580038eda24dcc76aaa0821b2f081c66100eaf901376724dfb4416764a06827da6c788b9d731b5e43233133e4d07bce8311c6586f2fd6e3af90ebd6

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
12264db9995ea6161fcb69d46e7d1ec1

SHA1
e09b033a09ed46ef43019c0f1a26bae4f176eb25

SHA256
6b7bf156d517317517e70f740fc1ca4528e29520a05d957b2747d5205878aafd

SHA512
62f8ad37ffb01b22a22c50f12ae7bdd9676645925a256109229453e186595607476c52f68968dd7ee016785d09821a180a1edd609a2fd822cf3a1cc50286da55

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
72a70ed9c568c6f8583a674028f55762

SHA1
be5ad9aede82ca772dd6148a4b927e0cd5e72132

SHA256
c9e84e5c06e4cbc2cb11268d119b4248d806d509beb186d7d0422e337b272682

SHA512
ecea1d285dfd1c4d82f9c92551da69935ca0496b564e00ef76775cee66fd998f057076aeb834e9be31fe1737ace5e306de291c918a5e40012f583a712d580f76

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
9ecca2dfe87ee8de18efd24e59aeccc2

SHA1
ab68e0757f0eab340e31bf3c5e3fab647ed2351c

SHA256
88d0efb5c1dd7c1274b32a4c2ec8c61e5bbf24fca1678e5003e81f9a9aa76a27

SHA512
9b882789178704dff254a41d014f573797b7a23086c02b7e3150e0fefa3313afc61ea57e216a477c12a159c0144cd0f0eea1a438ccbd8a930b52d9fa3901f40e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
897229a2acb641532bdf9793f529eb1f

SHA1
c1341f9ba21e29938270f82a80286932c58200fb

SHA256
6b145f329813cd027bfd4bbc12217802bc682e7957733550156ad0ab9bc04f99

SHA512
ab0da4854bbfc98cbcda1e881e533eaf6347fb90b1f3ba77c26340ab243a02fe458b3b002b09ea56aed6a0b3cbe96f64954c7c7ab9ff5df8dae0062312aee703

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
000bd16ede94927d28b9f10f5140b7a4

SHA1
938aac67dfa3dd13fe0a8299980b6793df2d1935

SHA256
eec12bd421d654100208ea3db96508331f0c36d92755d8c7f89480408c5fcf94

SHA512
179675ee5c453d99ba4abe8179c4eb37f2f792e72a450ecb5212e420a2f1bc60cac8d1ede216e7399a2e914ef680523b27a3295cbac4982c1d1b11543a3b43d3

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f43296c8a1b49f774563242422684956

SHA1
0ae968971714be9489414c3c6221af1fd38e3404

SHA256
99b220783f3dd72ba15b8ef33e20444156c94dc2d3e2b71193fea4913c486248

SHA512
2fb150c634abe925e730f7e6050671a95900dc9f41ac14f0ffaf2a5be8cd4d1680940e75e5cafd23001157948793e4db04d355d4c0c15659c56ef9aed9559ab2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
bd01d292db15b4195965e2f7e93c8486

SHA1
c4dd378d211053219f9d7e5713f0610d1adbd60f

SHA256
2a79c7cefb38d60172a9ba22a316290823885e066e3c68619cfcaaef8f8b5b16

SHA512
e93d840edf5f70541adff5e76bf33326d098db7f4cfb1d63444e9941aaf256d514499940e65bc36f063260347b1ed57bc75ffdd930ec41cf5a1454427059b9c0

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d39168b5e05e9f3ad44a59e3d72f21b0

SHA1
f0a99b46d9362495fdf5800ce3f9a1dee1b15bb8

SHA256
9d3eda7b16b8e3f3012b9d464551526a5987458f36d783359f243ff088eb2533

SHA512
2c0d7e2cbc48476dfd8eb5d9ebf7f0c8912f94c4a8c2fbb10d256827b87aceb51cbb8f49b0a9f958f2871a06b974da7c0fd8830b4fd630fa95cce1565958146b

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
2920618021356d328584eccccae2e298

SHA1
e7f9afd7bd8fe64276b5079fc608a0c686c9e737

SHA256
812900937fafaf92d27d1e0b5760dd53a358fc95294553d40802afaf4d6f73f4

SHA512
f6f367b455a518adf1edc9b8f9057f384f602781b86da1c30130b00576c576a9098a045f13c095a0ec0425f1e25a2e99d777ae9927c143eb608134313495f2ed

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
e08c58e8f5d588db048f0caffb499be2

SHA1
e806bd346c3f9352049e495ab749bbc3382fbad0

SHA256
2d49acc144531eb99954e9f1603d6d757053117e88b235cb835455136db30999

SHA512
81c84119ce47d1bfb456e0affaf5dc9c29d3ccf03843eb71d9544bc7c726126a01a0952a1c119789a0af73c895e7be0bca8a838d96ce82086070bc693f201f5c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
c64075fdb770ffad03ac84b9ddfa0010

SHA1
13c7bd3306ccb43b858603f932e36c6b521b500a

SHA256
65657abefa3fd97888170d6ca5114eb81c5ee349b1667bc072b7ee8c01d97af7

SHA512
141cb1f931a4adadecfd8a50033503a939d9ef9f725c7405f599d9fd1f0845488635727e0aed4fc4d6acce58f78ef52d6b2d1b963042bf8910d78889085c62e1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
69d108e48fbe87152577912311df2bb8

SHA1
eade7980b41f3949a34bb80ba5b7ec97f37be321

SHA256
e9e22847d6ec2aeff704faca1733d0098e867233296991583c5359930d87aa63

SHA512
2aa790becd00f4d464be40501cfdca065459ac6feb21709e1b0221f522d7297c94b186ddf859a8e41b08c623c8515624711cf77755d8d5d301c62e4fc163d3e3

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
fec16e9fa1b3eccc6ac62cea9b4da49b

SHA1
d718bbefc2082c9e93b320a50a17f4035510eb20

SHA256
e2c4ca6a11e48a09dc25fd175ba704e76577c6e14a145c85c3e161a3eb84c260

SHA512
b67c73828ae54829a3312405921350be493dae326e420d42f0d6da8e4dbb00934a93531bb7d73941e7210c5b5a87670871918710b48dc918edac170502b223f0

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
6deb09e04ac2b4206b64e01d79380577

SHA1
45fd6ab714d7ab618f72041cdee949c8fba7479c

SHA256
8b0a71a8b70e9916193f5a61bceb5f5c483e1549ff5cfb59f253ad9dddea5e13

SHA512
4f2b0cb5ba68c612bb0648d75bfbdec555f85e078a5f41b97a7d79f87ea8f53f8e41f7473734b8e30f8d846583e2625aed63e2deb62b06f7ae6d804642f2689e

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
440112092893b01f78caecd30d754c2c

SHA1
f91512acaa9b371b541b1d6cd789dff5f6501dd3

SHA256
fdf37f8111f0fabb5be766202a1a0b5a294818c4c448af0fec9003242123e3e6

SHA512
194c7b90414a57eb8f5ba0fc504e585ab26b2830ed0aae29cf126d5a6c4888d508c22984aeedec651c8644fb1f874fa558b2090488516b33165fe7985d2815ea

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
389a48557d445b300b38d2090c9add92

SHA1
a4be4f3f506b16a8f82aa8ef448376b247a55d3d

SHA256
f5ea37f742ca750dd37324dbf5a4a493ef9302b30d21d4d7d02e12d7dd12a758

SHA512
c28c23062b9c19f999a635315991dec843ced1a49f3af7c16bf8384890ef4931bfb7be420e379dcf1dd0fb6b84f4696ec4e0bd6f21ef8a1a45b2c02a673e6c77

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
ee4350ddf1212648209a15cccfdd94b1

SHA1
91e448c5175396bd56eca46721db60e1c7ae54e3

SHA256
ba62413658abb179c0bdbe1ff4ce3cefe037ab64bcc3173682a114c72f9719e5

SHA512
17b8d453cb576d73d0959677ff365c70a01218768f3756224fd2bbb12d546c3a31620903c479e94f6fd9f7b0b093fab6a58af607c508b4e84257abfd120a329a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
5ef853a50cf6fd62abb66bd9de603c71

SHA1
b142dffa8a16e2cd721b261c2bce4cf99ee8e5fc

SHA256
bf57c578006ce225cf6e9cdd4b0fd32a6d15b9218bc4830e5548ae65b7a7ee23

SHA512
4fc4a3ce1f91a2e397cd2d61578daf476bd7999324e38eaf76d6d3849a66b7ed9e8f01ea5d241db4d4984ddea94af0327d13381747e2133e432e850d91349dbc

Download Submit
memory/1156-201-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1328-234-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1328-221-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1440-294-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1440-643-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1444-203-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1516-632-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1516-248-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1668-206-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1668-543-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1832-626-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1832-236-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1996-91-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/1996-103-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2008-67-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2008-77-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2008-71-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2008-300-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2112-26-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2112-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2112-6-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/2112-20-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/2112-0-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/2512-65-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2512-62-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/2512-70-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2512-68-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/2512-56-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/2612-310-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2612-644-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2676-43-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2676-53-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2676-52-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2680-17-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2680-10-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2680-276-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2680-25-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3396-542-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3396-87-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3396-198-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3396-81-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3416-205-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3592-610-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3592-204-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3964-202-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4308-219-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4424-277-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4424-638-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4504-199-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4672-293-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4672-39-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/4672-38-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4672-30-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/4688-200-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4900-207-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5432-576-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5432-696-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5588-599-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5588-537-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5704-544-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5704-695-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5784-588-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5784-566-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download