19ca8a2043e8be3df7a950c7b1dfc9885fe254856e5cd6c0a138f6e6bf6fc509

Analysis

max time kernel
145s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2024, 11:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
Size

4.6MB
MD5

ecd5feb6de984e6ef8255a91314c3cf6
SHA1

bde0e9c32fa56d35da3bb7e8746efe468c4babaa
SHA256

19ca8a2043e8be3df7a950c7b1dfc9885fe254856e5cd6c0a138f6e6bf6fc509
SHA512

c258c1345b85d56ecdb30ed5ca4dd87ad5343ca687accfac87b04d5ad12f6e5dca86daba2db9f0aa0e65d3929103997633e1ce3c962e7bf112fdec448d209155
SSDEEP

49152:OndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGl:U2D8siFIIm3Gob5iEnxB7nmoO

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 25 IoCs

pid	Process
1020	alg.exe
3404	fxssvc.exe
1896	elevation_service.exe
4288	elevation_service.exe
5376	maintenanceservice.exe
5268	msdtc.exe
4964	OSE.EXE
2540	PerceptionSimulationService.exe
5004	perfhost.exe
5488	locator.exe
1300	SensorDataService.exe
1280	snmptrap.exe
1720	spectrum.exe
1516	ssh-agent.exe
3440	TieringEngineService.exe
3796	AgentService.exe
5388	vds.exe
860	vssvc.exe
4144	wbengine.exe
5184	WmiApSrv.exe
5168	SearchIndexer.exe
3980	chrmstp.exe
2416	chrmstp.exe
2676	chrmstp.exe
2020	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ef4817a092be0f3e.bin	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\java.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007a24a4a829bbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002e21eca829bbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dca1ffa729bbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c80402a829bbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002e21eca829bbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133624926526155880"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f3d3ba829bbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d61534a829bbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ae6e6a829bbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
4800	chrome.exe
4800	chrome.exe
4512	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
4512	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
4512	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
4512	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
4512	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
4512	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
4512	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
4512	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
4512	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
4512	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
4512	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
4512	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
4512	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
4512	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
4512	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
4512	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
4512	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
4512	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
4512	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
4512	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
4512	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
4512	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
4512	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
4512	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
4512	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
4512	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
4512	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
4512	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
4512	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
4512	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
4512	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
4512	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
4512	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
4512	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
4512	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
4288	elevation_service.exe
4288	elevation_service.exe
4288	elevation_service.exe
4288	elevation_service.exe
4288	elevation_service.exe
4288	elevation_service.exe
4288	elevation_service.exe
1612	chrome.exe
1612	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4884	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
Token: SeTakeOwnershipPrivilege	4512	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
Token: SeAuditPrivilege	3404	fxssvc.exe
Token: SeAssignPrimaryTokenPrivilege	3796	AgentService.exe
Token: SeRestorePrivilege	3440	TieringEngineService.exe
Token: SeManageVolumePrivilege	3440	TieringEngineService.exe
Token: SeBackupPrivilege	860	vssvc.exe
Token: SeRestorePrivilege	860	vssvc.exe
Token: SeAuditPrivilege	860	vssvc.exe
Token: SeBackupPrivilege	4144	wbengine.exe
Token: SeRestorePrivilege	4144	wbengine.exe
Token: SeSecurityPrivilege	4144	wbengine.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: 33	5168	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
2676	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 4512	4884	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe	80
PID 4884 wrote to memory of 4512	4884	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe	80
PID 4884 wrote to memory of 4800	4884	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe	82
PID 4884 wrote to memory of 4800	4884	2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe	82
PID 4800 wrote to memory of 3008	4800	chrome.exe	83
PID 4800 wrote to memory of 3008	4800	chrome.exe	83
PID 4800 wrote to memory of 5272	4800	chrome.exe	102
PID 4800 wrote to memory of 5272	4800	chrome.exe	102
PID 4800 wrote to memory of 5272	4800	chrome.exe	102
PID 4800 wrote to memory of 5272	4800	chrome.exe	102
PID 4800 wrote to memory of 5272	4800	chrome.exe	102
PID 4800 wrote to memory of 5272	4800	chrome.exe	102
PID 4800 wrote to memory of 5272	4800	chrome.exe	102
PID 4800 wrote to memory of 5272	4800	chrome.exe	102
PID 4800 wrote to memory of 5272	4800	chrome.exe	102
PID 4800 wrote to memory of 5272	4800	chrome.exe	102
PID 4800 wrote to memory of 5272	4800	chrome.exe	102
PID 4800 wrote to memory of 5272	4800	chrome.exe	102
PID 4800 wrote to memory of 5272	4800	chrome.exe	102
PID 4800 wrote to memory of 5272	4800	chrome.exe	102
PID 4800 wrote to memory of 5272	4800	chrome.exe	102
PID 4800 wrote to memory of 5272	4800	chrome.exe	102
PID 4800 wrote to memory of 5272	4800	chrome.exe	102
PID 4800 wrote to memory of 5272	4800	chrome.exe	102
PID 4800 wrote to memory of 5272	4800	chrome.exe	102
PID 4800 wrote to memory of 5272	4800	chrome.exe	102
PID 4800 wrote to memory of 5272	4800	chrome.exe	102
PID 4800 wrote to memory of 5272	4800	chrome.exe	102
PID 4800 wrote to memory of 5272	4800	chrome.exe	102
PID 4800 wrote to memory of 5272	4800	chrome.exe	102
PID 4800 wrote to memory of 5272	4800	chrome.exe	102
PID 4800 wrote to memory of 5272	4800	chrome.exe	102
PID 4800 wrote to memory of 5272	4800	chrome.exe	102
PID 4800 wrote to memory of 5272	4800	chrome.exe	102
PID 4800 wrote to memory of 5272	4800	chrome.exe	102
PID 4800 wrote to memory of 5272	4800	chrome.exe	102
PID 4800 wrote to memory of 5272	4800	chrome.exe	102
PID 4800 wrote to memory of 3208	4800	chrome.exe	103
PID 4800 wrote to memory of 3208	4800	chrome.exe	103
PID 4800 wrote to memory of 3520	4800	chrome.exe	104
PID 4800 wrote to memory of 3520	4800	chrome.exe	104
PID 4800 wrote to memory of 3520	4800	chrome.exe	104
PID 4800 wrote to memory of 3520	4800	chrome.exe	104
PID 4800 wrote to memory of 3520	4800	chrome.exe	104
PID 4800 wrote to memory of 3520	4800	chrome.exe	104
PID 4800 wrote to memory of 3520	4800	chrome.exe	104
PID 4800 wrote to memory of 3520	4800	chrome.exe	104
PID 4800 wrote to memory of 3520	4800	chrome.exe	104
PID 4800 wrote to memory of 3520	4800	chrome.exe	104
PID 4800 wrote to memory of 3520	4800	chrome.exe	104
PID 4800 wrote to memory of 3520	4800	chrome.exe	104
PID 4800 wrote to memory of 3520	4800	chrome.exe	104
PID 4800 wrote to memory of 3520	4800	chrome.exe	104
PID 4800 wrote to memory of 3520	4800	chrome.exe	104
PID 4800 wrote to memory of 3520	4800	chrome.exe	104
PID 4800 wrote to memory of 3520	4800	chrome.exe	104
PID 4800 wrote to memory of 3520	4800	chrome.exe	104
PID 4800 wrote to memory of 3520	4800	chrome.exe	104
PID 4800 wrote to memory of 3520	4800	chrome.exe	104
PID 4800 wrote to memory of 3520	4800	chrome.exe	104
PID 4800 wrote to memory of 3520	4800	chrome.exe	104
PID 4800 wrote to memory of 3520	4800	chrome.exe	104
PID 4800 wrote to memory of 3520	4800	chrome.exe	104
PID 4800 wrote to memory of 3520	4800	chrome.exe	104

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Users\Admin\AppData\Local\Temp\2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-10_ecd5feb6de984e6ef8255a91314c3cf6_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2c0,0x2c4,0x2c8,0x294,0x2cc,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa1ec8ab58,0x7ffa1ec8ab68,0x7ffa1ec8ab78
    3⤵
    PID:3008
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1928,i,6810385446774118391,5239311386472669958,131072 /prefetch:2
    3⤵
    PID:5272
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1928,i,6810385446774118391,5239311386472669958,131072 /prefetch:8
    3⤵
    PID:3208
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2216 --field-trial-handle=1928,i,6810385446774118391,5239311386472669958,131072 /prefetch:8
    3⤵
    PID:3520
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1928,i,6810385446774118391,5239311386472669958,131072 /prefetch:1
    3⤵
    PID:5280
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3080 --field-trial-handle=1928,i,6810385446774118391,5239311386472669958,131072 /prefetch:1
    3⤵
    PID:3592
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4300 --field-trial-handle=1928,i,6810385446774118391,5239311386472669958,131072 /prefetch:1
    3⤵
    PID:1952
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4444 --field-trial-handle=1928,i,6810385446774118391,5239311386472669958,131072 /prefetch:8
    3⤵
    PID:5540
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4628 --field-trial-handle=1928,i,6810385446774118391,5239311386472669958,131072 /prefetch:8
    3⤵
    PID:2408
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4776 --field-trial-handle=1928,i,6810385446774118391,5239311386472669958,131072 /prefetch:8
    3⤵
    PID:956
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4624 --field-trial-handle=1928,i,6810385446774118391,5239311386472669958,131072 /prefetch:8
    3⤵
    PID:2904
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4588 --field-trial-handle=1928,i,6810385446774118391,5239311386472669958,131072 /prefetch:8
    3⤵
    PID:1252
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 --field-trial-handle=1928,i,6810385446774118391,5239311386472669958,131072 /prefetch:8
    3⤵
    PID:5800
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:3980
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:2416
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:2676
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:2020
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4740 --field-trial-handle=1928,i,6810385446774118391,5239311386472669958,131072 /prefetch:8
    3⤵
    PID:812
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1928,i,6810385446774118391,5239311386472669958,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1612

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3596

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1896

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4288

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5376

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5268

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4964

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2540

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5004

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5488

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1300

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1280

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1720

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1516

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3440

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3796

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5388

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3100

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5184

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5168
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3796
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
473cfd3231e152d9570fed304d8c5a40

SHA1
455fff84d067458dbbdf91729f2423cbdae1474a

SHA256
e51c9c2a9375608bbd2346bec8c627e5bdcbcb234605e5ec5d3519f8db963df2

SHA512
6b930874c063b9cb28790933dbe21667a8471672f68d4084b170704d3655df1fd08af2198fdd7dff34a13782651193a33c1e844c3322ca8eaf8723806ecc0fe1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
1c06d19c2f7e9d261b026e35aed549c6

SHA1
05a03bc48ce87f441f2648d94700f6d810698685

SHA256
693c7cd49f59ed26a1fe96414314f163e542851ff89d2559be26678d18f3d2c8

SHA512
e5251b95206c9bedfd7d2f1eff4b64d0059507912ec75c721f4ab7a6c60d122f8d9ef013baadb87bdfb3f3640c909d06d247ab4d11553123a880492a5f055e8e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
7285f537875ff0e110af602992112520

SHA1
5b8421ed21a643a16eb5bfe3fa79b982b53d3669

SHA256
9c411d65abe22d7f9f5d4f2552ed02ce005a46d630faa22025c801bff8662970

SHA512
b576f8a57d1f91e2f121a7fe42171ee6538885f7c7a6e4e30dc975dfbf33560389804eb04bef19937e643a188239baeda19857cc9346684666a08ad7ee4f97d7

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
3bcbea9b72f8203f84ecd82c6ca137c9

SHA1
f0c0705f7dae9a9492166a55f8e40ce455f19fd6

SHA256
e0cba741f31c3b45de208e2d7ef486d9b78a1507223438668a3886bc15fab5ae

SHA512
a1b158431e7af12fcd5ccf4afedd16f1d90d263f819ba1cdecb4f7b5157dcc166b62ddc90d91661d5ea1d9af74caf7b6a3dd40e181d60def2eccf4cc096da0fa

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
1d8aa61160c7e69809056f9f55bc5ab1

SHA1
b024fce79a0f400bb7a78b65c480101f56595499

SHA256
b0740718b1a198788c02e1ce1bebc725c5ebddf0a337ed0e54d26174e29ead43

SHA512
f50004dc0ae6eb6ed77f21d4a2a2da6c5ecb63bbe0f5ec4e2a9a0a047ce83e4fc6923a26f061b82834718459cb3e463e4d70b741226d434306a0c02c1efd0969

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
7c6dcd5ea51659463a370dd959cbf8df

SHA1
71554d4d15f83cb69f44749d45f4db6e22b12984

SHA256
a453dbcd251a0b8f1e6beda5cb8421ccbd8262b45f75640f6d412868eb78aa27

SHA512
61a19bd855383d77d2779fb5052442c1c1dd0e1f1f28b147f2a037d10f3dfe177be465ecff765d586dc6fbdd07250802723ba3796a456b9af0eb5d73a127f7bd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
b99477893c33bb66c8a999588d51c02c

SHA1
569c49c13a14d938983b6bfdd388b6330ea2973c

SHA256
8f3982bf1861b94c82b6f57c1794e27685bc1458d5d149d9c17f1d492c8f0011

SHA512
9c5f9ea8f758de351d8ab150ec48c182c4e1dcba786f59b3ad498cec4dc3f68c0475180988c6942efd66841706bf37fe0720dce2f3d20befb2ff78c6578b22f2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
f48e54285047813d1953874d569f8b6d

SHA1
118c9a5a3f8edb83e8f6e31c0c700e420f25d323

SHA256
7cc2f0889b92915bb540f8d7e18e3fbe9371b2ed4dacd35f7865b9eb9f491d1c

SHA512
ef69e640a3a8a763dd3375ebad11657c667799821ae55fdcf0b90c30c0060e59d12a0de9d4ac90ee49994c56bc4c9a33b796a031c7a343b9b5d5b99f099d9f41

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
1072bff590c1aaf8f27dc847c32b7fad

SHA1
a697389c67340057515bc9fdbb867af0e0c7bf9c

SHA256
7d108ba1c3862e6058e6903642648dd9fabeae0bc1f2364b3704c3970beb4fea

SHA512
b906afd4d9601bcd1d149328a98ffaf43b4e7c96023987e524b17a7a6e6cf39fe738b26a16490ca8f92b51cf71f97218a0a645afac143c04ff4bfa4c2c785bab

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a060d94c8e86249faf1262f550880e11

SHA1
b86b0bc1f245bcf78ca61182631f9e6c90c0ede4

SHA256
bcacef0db389b35e67636398088af166ad1cedf27871ef77406e1f2dfdd79a7a

SHA512
b077669b88a6cd91e96ba80c906cdd778b26807bbf11b53cf86ab8f6d52d217b0fcf94d95f3be4b46792c67e0b233fdd4ab3ea454dc1ffe727e857c5861cab0b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
feb4ac13080a4a25c72d09662a888e41

SHA1
dbc54ba004846265a4438ffc6c45e52036615f80

SHA256
5e9a8a64d2428e95521b3d50c829966b112cd352e9cac19f2c9d16a65d195cc4

SHA512
ae63016e0c5125bfb68902a6ebfc7c77895b84627ab9f8e55a91308d497759b50e94a39a6a64c67ee1f15d57d4e57872ac00bbba2b7be360a6556519142d7416

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
c5d6c4f686c39fdea6c1fdb0e5998b0f

SHA1
ac57f67061629339be642a46fe086a1714b8311c

SHA256
c2a78725c980ca3d160e399c2b5ec89afbcf18672aacd43e33e0219b16ebd1d8

SHA512
3964775a2a23aa0b1d963bae543458a7a520cc79e634836abcc7c3eb4fc828d2a3cde6e312940a1ea2999ed24b2a5bede9b2b9786f010615962b7ddd3906e07f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
b1cce456724832ae587e6647d7ed7745

SHA1
6b53e017c3553d0b60ff803ae927c2922ab915e7

SHA256
111b9a02e7504e708bdc9aa7536a632fe9e98a92b1ad07dc88b76aa9aeb00142

SHA512
a60d626b64da78c1c700df4b726a8296dc839c034516b00afeb74e070a89a4924d55c19adc9b05582011e435db14bfb0600aa4357b42bf1413d2ee7e23da2a1d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
9abbc5893bc59b55c51a8e349b981fd5

SHA1
971b1ef001b165a72f48d1007222a677936dc470

SHA256
64a133924bce829b1cc1ef4c229ae9491ec4c6562f263a10260b8e3adca34cc2

SHA512
bb4667d462e98f6d5b745e2504863f115b9108895fff1f3e703f6e64890cd1822a99758616386e99d14f2860c6fc299d085c86ed185f6bcbe68e328c7e2814ae

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\13a34a2e-8a61-4eb3-a972-bbf8c177dd90.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a7b79b48e6de38779adfca9323ca66a1

SHA1
1433afd10d3571c71ca09396e68f0271c177481c

SHA256
1f39359b34fdaa0ab8d6d8729eaa8bb15fa4bdfe732fdb17d63e3f486b278bfc

SHA512
79f1c7eea012867fd9dc8550af5eef99c5ff4ca691bee8aacd14acea05f0f75884ac82ca2ffe5f1d0ea4fb590ba165df53addccd6f174edb299597313f5a3341

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
6123155f7b8a202460ac1407e231fbf4

SHA1
13121f6000a380f6621bcb8dc7c83f9cd10ab626

SHA256
dc3766fd1d9f14e305d5483a9e886548c3ff3ad2d8497e26a04c6d8c31e7be6c

SHA512
ef2e48a3517f58cf068d2ed9e202ba4d2a54afdccd4937c74b5c84d5c4fd47d9b92ddcf3b842a102b426dccae53ab3bc9e571a5cf27cb315be4dc58bdaad34cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
97f412f61e433b4c9799f4c1e5487385

SHA1
0e7332232a7004c9322bc6daa8820a8d80b92e54

SHA256
c16d6cabb9d1922a924844f31dd8194a7470f2b673921628216cdb62b268f19e

SHA512
0936e983654ac851d0b4261955b1a74a4155489539588dfa2e4e1780828ac5e21b1a34ec209fbb598f5d126ea427867f8c9a884e8f0d2c908d78d9bf25ee01fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
7947dbd92d9c41db05975d3272d91610

SHA1
8d4ea88afabe1de79ced61b64fca3cded6fbf618

SHA256
d41660cc0d1591b50defd615116bae1b6e04f27d7892c566ef4b5a27a94c0ed4

SHA512
913e333550d1a975eb38ffe8c0739262154bab5cfd67c026285fafe66232e8358939367b0117cde5519fe29e3c64009a96e5c74fb36d7d4a14e9e8d1930aa45d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
34bf87e3bb206872b1e7947c22ea3a2d

SHA1
faaea637f8533392ee19a2e23bdb0071932efcba

SHA256
5a99294ddaff07fdeca5e43289ad08fe125aa567e06f3a549e63d793b46b3854

SHA512
2d6a4e769f19a29947cf7a5719a340d6c779d1d8fcc14113892d5400931f7bc623545d1da5a6040215f18def83dd5754d587a7a01ccbc0d300f061bbbf99127d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5760dd.TMP

Filesize
2KB

MD5
80c9ece824708be3255fd46fed4fa84b

SHA1
6ab10396c88f4760224c2820d198207c54f01266

SHA256
1f8af8464e8755fd26db7cc2bf44b59934126100a43b00a66da96ef4bac4e336

SHA512
c8e8c5ce9c0607264264ceb4ccddc869543fc5b9d3929ad42904cefd147938d6523ee61e5ed2f6f46fba1e6c92f8b6dc14300f4c6c7cfb295fe3274677d9ae2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
4cdd5049c4254c631a1366d31a996377

SHA1
31f8877e4bd4339339e2c7d44d221a2eabda6dcd

SHA256
df2171c448b471e53cb09b9fc27248176a22c3685ca648da7488edc987ea671e

SHA512
8e0dd7aa37bf7a50d30705754af45d95e9ae626c7a62028b066ec18cb05b16f9a4718eb4b9c34e29080733f66ce1f98aae3b69cb1c81931feab19583bfadc92d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
263KB

MD5
b978e3fff43e19f670c75baa94ad1cc5

SHA1
bfb9a473f15d2dd4ab96c365bdf2da5d42c07971

SHA256
5e83125139e14a3877ec8dc33db09635129a279c4be98ffa82bc61aadec00f8c

SHA512
8e755b6b9b900d3808f543a8503982057e02f09cbb238b98b937acad5569e79fd9438fcd425fde0cdbf71b57a728c0ee9f88363a49ee6e81753ba42aaedf7cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
cc9d5836e3d76580cee2d6073531860e

SHA1
3400d218935e1c3a4772ffd7524abd2e2bbc943f

SHA256
8a1834ac0e1d4dbb8c07e2b7aa9899e8d33322be95ed5aa93f242fb9aa0d593b

SHA512
9cd8e02049acd43c0a2e62c1e395e67e4395d9d63f0d359bf315f41c540c0bffd4e2fd2d0ff84e2af133609f6e8e54dce08906cb83ba89a950ef8d09c7c58bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
a04451abc7456497085aee6218ef48b6

SHA1
d1c25916b5658ea58d26086c9f178ca00e0c65dd

SHA256
d051e54ede8a15aca5c500c0320b05f4afe5789e2eb602c6504cbb9418ebde11

SHA512
c5d370d15852c29a242e595812ad26a3b11c2d68efda61936e96e8afe5dfed98e6d3e0ba1939738d79934676e8fedf5644035a49745d5f050edecaa2a4464ce2

Download Submit
C:\Users\Admin\AppData\Roaming\ef4817a092be0f3e.bin

Filesize
12KB

MD5
0a7e4f9bb4a44eaa85bac33ccc5b2014

SHA1
ea3feb7ed4f60bc5f8fbb8d3507ab65d70e1e664

SHA256
85786b0d54ab5d1ac8419f6e35dd6ac55807604da2cc83e9f169813da362ea76

SHA512
bd0d70dc75d77e121c4dc710cfdd228fb74f8d19f574ea2ed733d274c5660496ed858be2c9b6bc80650cf9324f18b3ef311c4a0ed9e407d8f4700ea74274b3a0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
00f96ba9aaef2363b197b065f25cacf6

SHA1
64611d45720bb0518d7740d9dded6e705a109f69

SHA256
03e06f212f1b4e2dc0b6ac4025b8e81293882c4abc66e814e0afc275346d847b

SHA512
9fc0c79ce9d798a009433d336d7985db1b0ba509981240acae662dd320351cdd715ab587481dfcf1d7b3599ec53ac9e8c3c4d0f9d04aba626b69735eafe6bec8

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c0f517a82870501fc46e2feb3cec8d43

SHA1
61bac8d62d910732dbc42a4fef12e1f86b44bd5d

SHA256
553c04a671e00d931b31443b7e6bf9e0f529048df80bcd4252977e136ecd8fa5

SHA512
fec41d8f70c4368b13682f34c6093e98aaef266eded25991fbe84ae8d0d044229e9ef8af31e3170e34f432b554efff24258fbd70f8e9049cfc36dcc43becedc9

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a9f7e7b1a008cc83cd56272dd1d21a31

SHA1
36a5d511e4bf4fa9936ffeca915b386858cf43bf

SHA256
673168292d89d174c2655729f784542f06c6ce64187b7a0988795df2d5bbcdd5

SHA512
005eec720d3c8ed252f584035147c60bb49a63977ed1586b2b99fdaaee67ba8e98c982c762b9a92b151d55e0404d7b82d9ec9215275a5bc8dffd19205b37ced8

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
6ae1edacf58eb5e5b6c4b0b7f74b92b3

SHA1
4d944250b8bd0ba661799bf8a612e4c1993d7780

SHA256
bbebfde7d469100af032db387efcb554d32b6e9dd6ca2864417cdfcd19f7f678

SHA512
62dda45e657a07cd785795074f7576ec40dcb14a2edb490a3ca7b3e51f2e1821170697644655467065b8a7bc163c99c059dce93f2ee6175f242608fa7bca9c09

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
0ec004f91b3c6c56766f0b17e0eb3747

SHA1
1e1050c7056e358ce6a74cd5d24530e9a29ae9c9

SHA256
c8097c81623ab6f7c578f6a915d7c50b70485d9e60a8cc504412b39af1f3c4b9

SHA512
cb0dca7d1f44927857c3e621f1a2cad36c981ad259b4ba8916a4a5cc6d073c344213c045eb9ed8f82e542d53cfa91579963c20a35b63127f23f61d352789b041

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
d404ad76fef6d706163fc18550142ed1

SHA1
472c25f8ba9ff06f46b3acf034482f28a880d878

SHA256
7e3e996aee288f929317387963eca77fe9eaf210db5e6377678ce1e9b1fff1d2

SHA512
b5cf2ddbf5bc335b7a0bf6cd3f11cce9c02a0c5d2759fdc6ef8f8ece931c167755c0abb3859fe81346465bb98c61e18b68f236eb73147b49c92f8c957768082e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d9e7a7dd3fa2d3c12656a8be8ae9aa9f

SHA1
295c376534a2b5ee0d4a095bca9a91fb41978ac1

SHA256
a99f327925cead07f2fb67d59d9cbab4601cbd2bb4dba819e9e0ede2379f927c

SHA512
73e0d59d693fe2639955de36114d1b97543e76e7989462942a492732aac6794e5843a40a84f8868456bdb418be438f081386555d2b43349b83f12c208c814756

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5acd4e3e9dbf95bcbb984dd40d5bb240

SHA1
7bcaf52e63d5e9a0df4e192be627b57626a9a03f

SHA256
f1edb4aaf7fc35fb2b196ca9f12c9f9f7c5fc0faeb2c6b7ad9e357bd610b01c8

SHA512
025c8db09ad05f1ff508316880f818f80e663984c1905030b927f14ed15916eedaa40d93f25917abae161ff5631f91f5d85828b5716126f2ec9b9b14a345e9f1

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e89e6f70106f6168832ad3775fe5c08a

SHA1
57529f0e6e99c03155fdd2bed515c5b3b18af682

SHA256
8abe8c3160902cef61ed345b82fca999c8f3c6115e038a96e8f9cf859061f519

SHA512
204f2695e7a57778ada4b53f7cc6814e685b4194b8216ae9a79da624cb4b482882048117aa87ef8fd11648842e3eab2d248dcb0cfe773cab5937a5c87229840d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
fbd5fdc4b1ba31c8e5551d3ea1bab9a6

SHA1
0cc110ddc04d7587a128bec646017e3d3dccd9e3

SHA256
95dc1f6ba707988e4fc0d09ef15eb3b39e39c87ba59606861f048266f701685d

SHA512
4be14eb1b0edda8ccf7aa0bf2335b425f79e3c70240bdcf3c4a607862da0861976c944305ce55af05afbc7549f571d63ddd97925c81dec7c633675ab7b2f41d9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
184ca5abf3320bbdc9081e12bd801394

SHA1
ef78ef32861e9bebcbca3ece580c19c1d841c4d9

SHA256
391f9416f031c08e7a20b07345dcf17d53334285b690841480a643cd8c5376c4

SHA512
e8ed1093bdb02339e2612929f7a330ddff9e779ca7c58a92f218fc67adb80a612f59057f5a942011622899b6385d9ba4eee0e800244c96715af2ee2b8182428c

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
1b4db75103a15cc311471807c866c4fc

SHA1
865900c14bee54e619a939bd3deb1ff59cd649ab

SHA256
1e2b5000592265ab6daf59c619fa60383b6ab295745950e407b7c3fd4f931cb4

SHA512
836f3e15634639eb662f36b3ba590b794421319496d3408ee42e2b96355c96b749299db3904326c3e0d55e6d1bba32a0fe30403bc26f1dbc0918e673c221b558

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
a9b46328db10fa66cd95bc6bba6bf9b0

SHA1
2e957deaa034d932df86db1f45a7b7a2d64ed556

SHA256
5246e91817a334f2ba25d9999ca77d9ffefcbfcf87a8283ece3e56bd8b4c1260

SHA512
0433072b17367e8fa7549acf659ca31ff029e38ca7399d7d933716dac4dfcfd50120a075a3b0b4380ab7a4d27177f0d45d95c8ade353ed754a27fba2e884a15c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
f9d62e6357aa7d41058fb8272f99b68e

SHA1
dd718d251ee1d466870c1687aa189a5ed138ac90

SHA256
18f42b3c298a7cd3db47674c89956be61870e970bf6552a8100a6d040cda0120

SHA512
e1cb431cc2d6c9ec8b03af43fdf1120ccca2ced47e7f7afe3f81825de164cf46f7c82a6dc7f1153e2922b22cd5f57bc3d558cbffbd3765b4b1c633851f6f6b74

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7fa9eb58d80e207009605c111a7dadcb

SHA1
03c4615d8acdc308da8f48f74be3336c8e02225c

SHA256
100527f9484446a2c1b8966a8d954afa621f612a59f0bf5547a675f614638e18

SHA512
c77ccfb88e2a25713b59bd2f3c89e0719495c89ade1af45e48f163c2eafa53e01a43316bf0f3cdaaf5ee8d2d73170e8c6236db96a83e2039e9276eba4012ad37

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
2b844c61da52e43fc80b6e1beae3d945

SHA1
55038b8abdfcdc8a956d7212eb51a989c553b2f0

SHA256
00f8fd8349c44f5fcca8f48b25d06946afe378c50e447ea9a076f73cab4fc614

SHA512
e962ee2913109b358f98cea96b3761be83896a9b86c4021cfd43dd7f0ca0e3eb31f3e8263e5b6976b42cddad91195be575513784f0e262c66ec219f9927555c2

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
1b33bef56b385e4e21df693ad07ba9c7

SHA1
9a0339a7f36d926fb3ff90991cdeccc76ab90dd0

SHA256
35b3380a9d1f521b0797a82b2a9ad235fa33a1bac5952f8855c189fa28a778b1

SHA512
919327502f769c6d030b5caf0b8fcfbc2421509dd48e61aa2c26f662f03487c18d95ded1e787feb3d194235ce93edf9f5e39357fbf19f1857a3f26819aea9c2a

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
f8da1e3912337378c0f722f616cf6aaf

SHA1
22482c3e69a3b76d24d4e88d30e345654afd0338

SHA256
342768ee193e599905624366abf160660028ba384d57ae4da8734bc9473b010b

SHA512
b72adac4dc3ef8cd0c1275eaf376da652f8aa271a162aac1a54571f6f93c0e5fe9fec69a9cf380f84fa3ce438f06e3c9c2493a1d422f5d1bf4c46d6962ca9f47

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
da7397e492d7b5920778a81fe6b9bf65

SHA1
308ec232c60f1a4f8a4c09975b364f2683f3d8a8

SHA256
f16aadb056ac74cfaea4884942d6538de5f4bc99217b7e233cce3c5a0db20587

SHA512
581f86a7b69beead563dd0a03f2cf56bc29553fdcd55c1a2c44c10f6f634d06869a7d6bc7a94b68f9acfc20691dfeb6209f59a49d0a5d0675740eed94642f423

Download Submit
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
8b529e651b740d41e86b684887e5d708

SHA1
5996ba18ccc3f8453384b7a091ec9808e8ab2741

SHA256
25e9d18e29a69fd7ff2244bcc1aa39eca3287482631c8b643a4d50de2c1fe8d2

SHA512
a4b68f112936d061eb7c33accd61f6a2b7f82a8671302bedde4ec8e52c71ee0b8696dd735677836b9b9c9e31dcc7df0811c55a85e5cd3e481de2763d853fd41e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
c39018b735904fce971508512f653f46

SHA1
7b621061598bddbdc078bebea2deb26d9200b15e

SHA256
2e0fc505131b08aa65d56a0aaec0aa8ac2d7fff298015ca9515c52da5b67af08

SHA512
73d37e2922d8bdb0e5ac27b8ebf404902da4254569e20a2f1aba77ea6ba73b0d24fa2f911eed5e1f5f8c22e2ec12c25ddd2dd6ae52e85b11e0e37a0d30cbb21c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Roaming\ef4817a092be0f3e.bin

Filesize
12KB

MD5
695d21e3d0b7b9025c07c166760f4107

SHA1
cbf34ec9d4820ffc82138670773c9c4749b1392a

SHA256
74524d5052547005d9a48b93993ec06f68fb7b944b47cf44cb5bf0e1f17e3a20

SHA512
6c971ca0b615ff168ceb0671409c136540ca48c600e0a2508a8f0bfa5a61448e33af240606517a33d0ec828bc89f8babd28839a28cf5106679e976316dac197d

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
439b93694b579d22f8a7c473322c8b2f

SHA1
fa10967e1e70d93d2ff969b484894a22218510eb

SHA256
c6cff8e436afe8ca50a4544d8e842addac5533e21b5cc364ed2b77158939decf

SHA512
5b0ee4141674e5642bd5eda5441c6ce0c3b3e0cf0d9f8aa35c6df516a5683eed441c16b5e8982987c0d8bd4ad386ca0669d745cecc36a938d11f7291b1e406cd

Download Submit
memory/860-166-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/860-559-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1020-23-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1020-175-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1280-156-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1300-155-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1300-536-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1516-158-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1720-557-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1720-157-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1896-41-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1896-47-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1896-191-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1896-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2020-470-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2020-575-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2416-574-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2416-445-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2540-551-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2540-103-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2540-102-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2540-96-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2676-459-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2676-483-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3404-51-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3404-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3440-161-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3440-558-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3796-160-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3980-494-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3980-434-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4144-567-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4144-176-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4288-61-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4288-59-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4288-53-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4288-436-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4512-174-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4512-19-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/4512-13-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/4512-21-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4884-9-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/4884-30-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4884-0-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/4884-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4964-519-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4964-90-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/4964-93-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4964-84-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/5004-110-0x0000000000550000-0x00000000005B7000-memory.dmp

Filesize
412KB

Download
memory/5004-153-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5168-573-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5168-193-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5184-184-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5184-570-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5268-80-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5268-461-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5376-70-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/5376-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5376-64-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/5376-75-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/5376-77-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5388-162-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5488-154-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download