ed326edcfb5a4a79931fe45165a5370375c9ea6a67679e9aface1c0b119fb181

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 14:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
Size

5.5MB
MD5

087275fcdcf4544729d68ee56ae6e6f5
SHA1

eb6049ec0133af07a9d5eff66ede181dcc9c197e
SHA256

ed326edcfb5a4a79931fe45165a5370375c9ea6a67679e9aface1c0b119fb181
SHA512

89d51037b69aae40043e9f581d28647fc97223751eafd66ed47a0bbc1f32412df00f0e0bb901d8ac23f75500287bf908677b28792400ff3b391db6a9d5ab755f
SSDEEP

49152:jEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1bn9tJEUxDG0BYYrLA50IHLGfy:/AI5pAdV9n9tbnR1VgBVmAfOVcI

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
1420	alg.exe
4440	DiagnosticsHub.StandardCollector.Service.exe
3320	fxssvc.exe
4024	elevation_service.exe
3032	elevation_service.exe
2600	maintenanceservice.exe
4140	msdtc.exe
4556	OSE.EXE
1708	PerceptionSimulationService.exe
2936	perfhost.exe
4284	locator.exe
4680	SensorDataService.exe
2560	snmptrap.exe
624	spectrum.exe
4724	ssh-agent.exe
4212	TieringEngineService.exe
972	AgentService.exe
1084	vds.exe
1320	vssvc.exe
4460	wbengine.exe
3716	WmiApSrv.exe
2904	SearchIndexer.exe
5556	chrmstp.exe
5712	chrmstp.exe
5848	chrmstp.exe
5880	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e13b453db3b9834c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007c3bbad620c3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000010cc17d120c3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f80ca8d520c3da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c45e1d520c3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c2a510d120c3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007231edd520c3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000010cc17d120c3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133633684623419130"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000359a92d520c3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000016518fd620c3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
1660	chrome.exe
1660	chrome.exe
1028	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
1028	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
1028	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
1028	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
1028	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
1028	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
1028	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
1028	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
1028	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
1028	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
1028	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
1028	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
1028	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
1028	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
1028	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
1028	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
1028	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
1028	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
1028	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
1028	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
1028	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
1028	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
1028	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
1028	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
1028	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
1028	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
1028	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
1028	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
1028	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
1028	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
1028	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
1028	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
1028	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
1028	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
1028	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
4440	DiagnosticsHub.StandardCollector.Service.exe
4440	DiagnosticsHub.StandardCollector.Service.exe
4440	DiagnosticsHub.StandardCollector.Service.exe
4440	DiagnosticsHub.StandardCollector.Service.exe
4440	DiagnosticsHub.StandardCollector.Service.exe
4440	DiagnosticsHub.StandardCollector.Service.exe
4440	DiagnosticsHub.StandardCollector.Service.exe
3052	chrome.exe
3052	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2572	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
Token: SeAuditPrivilege	3320	fxssvc.exe
Token: SeRestorePrivilege	4212	TieringEngineService.exe
Token: SeManageVolumePrivilege	4212	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	972	AgentService.exe
Token: SeBackupPrivilege	1320	vssvc.exe
Token: SeRestorePrivilege	1320	vssvc.exe
Token: SeAuditPrivilege	1320	vssvc.exe
Token: SeBackupPrivilege	4460	wbengine.exe
Token: SeRestorePrivilege	4460	wbengine.exe
Token: SeSecurityPrivilege	4460	wbengine.exe
Token: 33	2904	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeShutdownPrivilege	1660	chrome.exe
Token: SeCreatePagefilePrivilege	1660	chrome.exe
Token: SeShutdownPrivilege	1660	chrome.exe
Token: SeCreatePagefilePrivilege	1660	chrome.exe
Token: SeShutdownPrivilege	1660	chrome.exe
Token: SeCreatePagefilePrivilege	1660	chrome.exe
Token: SeShutdownPrivilege	1660	chrome.exe
Token: SeCreatePagefilePrivilege	1660	chrome.exe
Token: SeShutdownPrivilege	1660	chrome.exe
Token: SeCreatePagefilePrivilege	1660	chrome.exe
Token: SeShutdownPrivilege	1660	chrome.exe
Token: SeCreatePagefilePrivilege	1660	chrome.exe
Token: SeShutdownPrivilege	1660	chrome.exe
Token: SeCreatePagefilePrivilege	1660	chrome.exe
Token: SeShutdownPrivilege	1660	chrome.exe
Token: SeCreatePagefilePrivilege	1660	chrome.exe
Token: SeShutdownPrivilege	1660	chrome.exe
Token: SeCreatePagefilePrivilege	1660	chrome.exe
Token: SeShutdownPrivilege	1660	chrome.exe
Token: SeCreatePagefilePrivilege	1660	chrome.exe
Token: SeShutdownPrivilege	1660	chrome.exe
Token: SeCreatePagefilePrivilege	1660	chrome.exe
Token: SeShutdownPrivilege	1660	chrome.exe
Token: SeCreatePagefilePrivilege	1660	chrome.exe
Token: SeShutdownPrivilege	1660	chrome.exe
Token: SeCreatePagefilePrivilege	1660	chrome.exe
Token: SeShutdownPrivilege	1660	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1660	chrome.exe
1660	chrome.exe
1660	chrome.exe
5848	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 1028	2572	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe	83
PID 2572 wrote to memory of 1028	2572	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe	83
PID 2572 wrote to memory of 1660	2572	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe	84
PID 2572 wrote to memory of 1660	2572	2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe	84
PID 1660 wrote to memory of 4256	1660	chrome.exe	85
PID 1660 wrote to memory of 4256	1660	chrome.exe	85
PID 1660 wrote to memory of 3608	1660	chrome.exe	113
PID 1660 wrote to memory of 3608	1660	chrome.exe	113
PID 1660 wrote to memory of 3608	1660	chrome.exe	113
PID 1660 wrote to memory of 3608	1660	chrome.exe	113
PID 1660 wrote to memory of 3608	1660	chrome.exe	113
PID 1660 wrote to memory of 3608	1660	chrome.exe	113
PID 1660 wrote to memory of 3608	1660	chrome.exe	113
PID 1660 wrote to memory of 3608	1660	chrome.exe	113
PID 1660 wrote to memory of 3608	1660	chrome.exe	113
PID 1660 wrote to memory of 3608	1660	chrome.exe	113
PID 1660 wrote to memory of 3608	1660	chrome.exe	113
PID 1660 wrote to memory of 3608	1660	chrome.exe	113
PID 1660 wrote to memory of 3608	1660	chrome.exe	113
PID 1660 wrote to memory of 3608	1660	chrome.exe	113
PID 1660 wrote to memory of 3608	1660	chrome.exe	113
PID 1660 wrote to memory of 3608	1660	chrome.exe	113
PID 1660 wrote to memory of 3608	1660	chrome.exe	113
PID 1660 wrote to memory of 3608	1660	chrome.exe	113
PID 1660 wrote to memory of 3608	1660	chrome.exe	113
PID 1660 wrote to memory of 3608	1660	chrome.exe	113
PID 1660 wrote to memory of 3608	1660	chrome.exe	113
PID 1660 wrote to memory of 3608	1660	chrome.exe	113
PID 1660 wrote to memory of 3608	1660	chrome.exe	113
PID 1660 wrote to memory of 3608	1660	chrome.exe	113
PID 1660 wrote to memory of 3608	1660	chrome.exe	113
PID 1660 wrote to memory of 3608	1660	chrome.exe	113
PID 1660 wrote to memory of 3608	1660	chrome.exe	113
PID 1660 wrote to memory of 3608	1660	chrome.exe	113
PID 1660 wrote to memory of 3608	1660	chrome.exe	113
PID 1660 wrote to memory of 3608	1660	chrome.exe	113
PID 1660 wrote to memory of 3608	1660	chrome.exe	113
PID 1660 wrote to memory of 852	1660	chrome.exe	114
PID 1660 wrote to memory of 852	1660	chrome.exe	114
PID 1660 wrote to memory of 512	1660	chrome.exe	115
PID 1660 wrote to memory of 512	1660	chrome.exe	115
PID 1660 wrote to memory of 512	1660	chrome.exe	115
PID 1660 wrote to memory of 512	1660	chrome.exe	115
PID 1660 wrote to memory of 512	1660	chrome.exe	115
PID 1660 wrote to memory of 512	1660	chrome.exe	115
PID 1660 wrote to memory of 512	1660	chrome.exe	115
PID 1660 wrote to memory of 512	1660	chrome.exe	115
PID 1660 wrote to memory of 512	1660	chrome.exe	115
PID 1660 wrote to memory of 512	1660	chrome.exe	115
PID 1660 wrote to memory of 512	1660	chrome.exe	115
PID 1660 wrote to memory of 512	1660	chrome.exe	115
PID 1660 wrote to memory of 512	1660	chrome.exe	115
PID 1660 wrote to memory of 512	1660	chrome.exe	115
PID 1660 wrote to memory of 512	1660	chrome.exe	115
PID 1660 wrote to memory of 512	1660	chrome.exe	115
PID 1660 wrote to memory of 512	1660	chrome.exe	115
PID 1660 wrote to memory of 512	1660	chrome.exe	115
PID 1660 wrote to memory of 512	1660	chrome.exe	115
PID 1660 wrote to memory of 512	1660	chrome.exe	115
PID 1660 wrote to memory of 512	1660	chrome.exe	115
PID 1660 wrote to memory of 512	1660	chrome.exe	115
PID 1660 wrote to memory of 512	1660	chrome.exe	115
PID 1660 wrote to memory of 512	1660	chrome.exe	115
PID 1660 wrote to memory of 512	1660	chrome.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Users\Admin\AppData\Local\Temp\2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-20_087275fcdcf4544729d68ee56ae6e6f5_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2e4,0x2e8,0x2f4,0x2f0,0x2f8,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9267fab58,0x7ff9267fab68,0x7ff9267fab78
    3⤵
    PID:4256
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1912,i,10264726800989467315,5929597765032365550,131072 /prefetch:2
    3⤵
    PID:3608
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1912,i,10264726800989467315,5929597765032365550,131072 /prefetch:8
    3⤵
    PID:852
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2160 --field-trial-handle=1912,i,10264726800989467315,5929597765032365550,131072 /prefetch:8
    3⤵
    PID:512
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2720 --field-trial-handle=1912,i,10264726800989467315,5929597765032365550,131072 /prefetch:1
    3⤵
    PID:1676
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3080 --field-trial-handle=1912,i,10264726800989467315,5929597765032365550,131072 /prefetch:1
    3⤵
    PID:3868
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3616 --field-trial-handle=1912,i,10264726800989467315,5929597765032365550,131072 /prefetch:1
    3⤵
    PID:5400
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4536 --field-trial-handle=1912,i,10264726800989467315,5929597765032365550,131072 /prefetch:8
    3⤵
    PID:5564
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4544 --field-trial-handle=1912,i,10264726800989467315,5929597765032365550,131072 /prefetch:8
    3⤵
    PID:5572
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4932 --field-trial-handle=1912,i,10264726800989467315,5929597765032365550,131072 /prefetch:8
    3⤵
    PID:5344
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 --field-trial-handle=1912,i,10264726800989467315,5929597765032365550,131072 /prefetch:8
    3⤵
    PID:4108
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5556
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5712
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5848
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5880
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5080 --field-trial-handle=1912,i,10264726800989467315,5929597765032365550,131072 /prefetch:8
    3⤵
    PID:5724
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1912,i,10264726800989467315,5929597765032365550,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3052

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1420

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1076

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3320

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4024

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3032

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2600

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4140

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4556

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1708

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2936

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4284

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4680

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2560

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:624

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3328

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4212

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:972

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1084

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3716

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2904
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5952
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:6080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
0c498b5834e72e8a6f749910421eb4bf

SHA1
77c8923c55030f8f157410c899850f1aa6ba540c

SHA256
f8ea9cc918350ec6cf385959368415073dac9c14f6cfd10aa25e9a933d72fcda

SHA512
324bfb3bbacccf23bf3a7b97f1caa6aed8185711c43e0761538971167b6516f5c14be1835105c37681ff17d2e352f380b862bb0cd13739292c117b229a081b99

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
e61e3406f0453700b7bdcd578f0aac31

SHA1
8b59d04b34c14ed1ac563d1cd2f37bb86ec7d284

SHA256
97987188f42feb1defd93530cac054e406def1f87a5daa23a76a7350ae4a1204

SHA512
0cbfc9e48cc1453723c9f7fdc9c773349ab2b16c566690a897984064a8fa9578ea0f608fddcb0d982496608e304bf4ed8b4a658a0d1ccc9338f6eaef4ddbdbbd

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
917659998389c7675a7b1059895bbec1

SHA1
51b8f2be6f5af2fc10822de25f541098190f6bd6

SHA256
6aec33586f06cef6183d73ff44bc11f37ec60d3c8d5b084dff70e7f34ac2bf28

SHA512
c119f105afe8e3147ff460b497955e1a408daae30d0ae5a432e9ede1e8a34c21796fb5c4a1afb000e9970670bd51e98ba34645bd506ff846ce72364360d94dd3

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
81fa13a3a35761383e8bb97b00f9f3ac

SHA1
dfdebc540c9b862711d6db70b9dce282507c219b

SHA256
83f5f3936cbb70340c79f0e922ae59ee2a24c6f61efe29d5210b28c11fef3b19

SHA512
ca01eb488aac85d00018734d2fed88a59dd2c3725aa8956c2f4019ff1b64adf7af41c36794b6a89a5fee9fb2cb8ee132b7b04a050341be1691828b1e553f702d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c0a9829fd8fee4100393c12fcb7b93c2

SHA1
aee126249a8d7a2d77ac195ff4fb36f6ab83cfcc

SHA256
1cd466fd4353c754878a7e5b974bc68b5ee0239e92d81217de6b93d445a83157

SHA512
604c5975810d8fd4ef6b1d27b0de0c9c9b9fd4e53c0df09843dbae6a78c63ad712b94a81338c602c3015c3a1a9a5012754e3b559cb9fae282ea3f1c8bb351244

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
d317549038a40b47057606d5def47c63

SHA1
3af44fe21312196b937d9cafaf6c455f08e97418

SHA256
6a6381c7b55da934d806ddec5247ce2e6ef87b2f5ca5456141f0f389779f5174

SHA512
e4be1af2014be9f1b1495c44e250ca063b286fb65fdea9122782b56e9d9fe896637b532db1e84ddf384561a89b18aa979dc10dec2daff1faa4daf77a4ce117a1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
2a60a49d4e9df865ed80fe7315cfb5ff

SHA1
ef9f074a8edab7ba579f44d9b23b273ca512ba46

SHA256
3927d9cfc355fbe17b4c5466f006984d6940066e4a45434432a8b8f7ce17d96b

SHA512
981251c06c0f2468e32056c1282506f325c447ff5cb0e0691371b738017080ab7e59035fb78a1bf15a25d4652c390bce3399e8661f492508a1eb83050292915e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
5d2bdea0f173dbe9633c7a5fd14cb10d

SHA1
5b2e0da54ef8e460f6e1d69265f312839f86b1c0

SHA256
bd2badf8340a88d70dfef450f299f475a57cde16383c188c916ad780bc01ba52

SHA512
4a5186a036699261ab09b136d84f59ac40704db955babd8fbc4f6f4de2ec3ccf174846e9957a098bbef100d13a3e5e0afc0ff06b60c9cf043e5706566891fefb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
ac1ed192f0d654e6dbe797fac8fd2b83

SHA1
5ac0b55f759ede3f7fd140b4557adeafb1f31557

SHA256
92ca670cfda1b403d003a8c8ab92640e20dd9ed6bb55317079ec07a94184271a

SHA512
86b21a10a3273fbbcbbaee12486284696e11f829abeb5da84c209e409c1046e95198428ccc9fa169002d9b7e0d02e05a7c2ec7f92ba9183feaf1dd5ffdf78eaf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
1c933f1f5fdd7c9d0c40d23c05a005f4

SHA1
e11aa0e8c45cc255fe6dd7b1ae641cb83e5287b1

SHA256
a9d6b9c0ef12643658b636d96053475264678fe3f5572516f38039ea7bbce41c

SHA512
4f71f8c1a59f3b645ef06543d8ad9428b2c27997144bc1c1bc616cd2ec1b61ce7fad294e33015bd09ed1ef8769f9c98540f9e114d9e867bf071bc5911913c484

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7b3d91a2d9d56e4052dbef2ca20b3287

SHA1
49b86c793c1ebba20b1ba65b2b205b2ea2082f1f

SHA256
8241e5a4423c1d02ad3078c7303d72a46f0550e3d72d186c920537212730d3b0

SHA512
cff8da129b17af776f6f0567fccbe9e81ca90f95c4d202e9586784ec24e7782114f199b5f1327243f66cdccc62d975779b4324c634d7d56bf7f0f93b30078ed7

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
610468b49bee3be61c2dd8559f184ed5

SHA1
ae8a491ddfa597ea3fcc2cf0bffb6c5fe1444460

SHA256
fdf2d9161b381ea5bd9aa45e02c8ffb337ff54ddd6a3ce8319e7eb2ca0fabca5

SHA512
2856abf44330cf7d3f468f8d03abb86abbd4df31071f70beeacc77dca9b8ced44af73d6a8c99d41ffc47cb6d5bad9604b92feabd007da693fdfb596f498cd1e8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
49f35705ea20073a21985cd73c2c2021

SHA1
45d03c1ebc14bfbf872a6027f2d6d8dda5c66b96

SHA256
4d87642d28bd61a98996c5aca8eead495c3df2c28484868d73a9daef483f54f7

SHA512
4984d1a84aeffd226154a61e56cd16c5baec77fc6fa487285fa8fd6c08adeca4d433d88dbd098e0af19f718f052099e49523d04952bfccb4c1c88968bdffb95b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
5c03595b4b1309f246fb13c0fb3cc7d7

SHA1
f4f405175fc5df1f27066d029f28709f6f599a13

SHA256
3828feea063bb1ec0c88eea3f798967081d5c98c4662bbaed15988e726309eda

SHA512
72a1d8f8815f11661c1622a08ff6df2fac4c3d3dd30778ca448bcb4cdcd2e272fc960ed53f18fce1a8087db909e7c78cad182d1d84f7ab30f28c86df1440d5c7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
6b5b828b258ec71f649051a1b0f6302f

SHA1
a50f6d7e4e62ab1597a605e4dd8e2280d0b7b305

SHA256
03979eb0bf62e7a666a6e32973d9da39c53e2e9e5652d884d8ab17463d43165f

SHA512
70465a3ba5622213c0712404e7044621fc8685473447eb1c2370e6ceec7c4a3e4e8a31e0a10320b8b43ab186c96dab529b0a6a0559c1894904c3ae99d05c991b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
62ddf3db5d4db9814fa74137cbe1ca64

SHA1
10dd59131681edf0c034911e735c68957ac39ac0

SHA256
528af2fec411f06c1d20287a32e7bd9705339ed6719d274fc881a5db91adcbc3

SHA512
c2b0b249393f6bba8a31c2304e5c0c7a7f733110a2b4774287388d2ac4f1c6353db2353cb7a5e6023c9cd6d83151ab6b2bb417ece5b05cdc08d9e7558ac72fa0

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\1329474b-1435-4784-9a68-80a68ce2df76.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
88db37fbd5c9c6db5d4654c40b7bff8b

SHA1
25c1b7d8e6522c1f5f0ee3b9e285f4d87bbfe014

SHA256
58661baeff510acb7e39ee6b144cc6e5eb37b16c46c4a60bdff6d7b916124232

SHA512
cc5c0c2a31d29504d1a93cb26ce780b327a498de97b3c8813bb54eba3364c5367c399d22aaf6fd2b12c76cf429269a26edb95ded39b6f80736f477478a4eeef4

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
98a89870b75f9ebad5e699959a6b6e48

SHA1
719473d941893bf56806df33e1b38efe434a5b32

SHA256
27c09fbf32903475c4b85e9b9ee8d22e9db84bc7873f53ac94b3353428640ad6

SHA512
ea12ed135b3c61012ebf35a6a111384a9c53cc8ce7303c62a5d8a64cd35e81abc6436ec5244dadb808714fd607c426708a6189c869da7928dcd23276612a61a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
3ea070e60e7d429e1e61c8db38c29e6c

SHA1
5e299ee911c837db884fb5fef2f5abfe4e9e8863

SHA256
b2a5745d6bc2caf9e182d87fe017e223f6237fdd3768705f02a67a10b4cc2d66

SHA512
bd55194313210c91259cdfbe4e6cbef7eb74adf00b7bb292cf8bdeb109eab962f8253ed0277461b94fe7eacc644648318baed002cca9af07b27b00e584fb7cbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
1b26031f8f3a11d96c5832c98d080809

SHA1
45795a3468773d0459e2616e2f62e3ac93ec4b66

SHA256
da4966d338c8e77a50950ae1a65183723c59bfd3e89728d6a59d4f1a5df28c8e

SHA512
7e7c8612f80edc7b616429db82fecade523842d7eba0667579a164b126381fafe439a47a0cb4d723e9687687e82450ef10bde449b7062c83d267960346678a61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
af56686abc17fe339c21f0e1227133c1

SHA1
f21a06d87162586e3702d0def93a1709491e15f4

SHA256
bc261a82519d81dbc09a5520902969a84a403f23813678ad487997f77686c6ef

SHA512
7fe695e2b13f81eda2506a602f2a5e7a66c61c910a38a19b7332b31b61bdd3e01d0cfecb856e24f4724fe33de1cebcb04b832121c392ccefae536d66aaf921ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
77aaeaeff4816a314e5c564a07d7df74

SHA1
5d0387fc6bbe3df74291afe6bf0783418e2f7904

SHA256
15c7ba83e46bff6522b711530bebdab5e19e9e4655963249a33da642fb78062c

SHA512
17466cefb8d343d2038faecc90d3f9f05bf96484f05e3e16ac9a5a42cdd8ea7c7c4eaefbdfb891798f4a50e965bc32271ef8414498288ed1460789190673a107

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57685f.TMP

Filesize
2KB

MD5
d815a154d920aff927b3986ef84917db

SHA1
c1c2bd7df2e21219963cc39d302b18173713afc9

SHA256
0603be058d7ba2a08d3233e42e5575b76578513ddc7e3cb58fa53fcbc5e26028

SHA512
7f7fbc48d9be3c0a935906b277e766261ca8fc1b9eb05542d528bca09d1bd817e6bdce0fd87fe3f56e7597f09595b5b610eb103903a66c2bd79de04cb4f250c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
f965e83a24e9251e6589b205587b5a26

SHA1
1a6de95b025e5bc9b30c09ffd61eb4627ebc4856

SHA256
12451f09f9f46d02eab2cba439f5b064b3e917404514496b7f3eea3b30a51434

SHA512
cc22c9e25ce1b973ce4f7d2fe879f1237c390885e98f41407e364bea2ca7df4aa4fe927a28b10b12e181e3042a358b29888b9e765123eed49e6ec58433d1cd01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
278KB

MD5
397dc73f7aca2a6c61aa215111d3c2ba

SHA1
ccd0afc34a52903c7d2f48565ff20ad914907aca

SHA256
678a258b9edc489ba628dfacb3b5dbd6ff02ae9e2171c4f8cbbfdc7b1c7f8ec5

SHA512
a0fe9a8d92870056557381f23b88f232273d818e92affd1f33ca05912494939df44ce290bd5063af9d2edc01a81b8431481f5c402d469f90ae4e8f0e39ff3930

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
7360b90897d59d09c1b24a8f7146c95d

SHA1
c1fa3d9f8191d1954fb7555753a4578123cc76d4

SHA256
796a76e0cf27705fc598d704f70767fa1ca613cc7cb5356226ae2e5e9c5f6637

SHA512
e61de6a8a1f9052c2ad1bec7b15a8812eada0441efc2fe4887c1470de7bbfe68e3861fbcc0163d1145584fecd0d93c1132a7ea87b7ba99db54170b453d2ccad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
9KB

MD5
32db63488e14d3d4259926e49406e63b

SHA1
2fcd1683896c79852b5ec10ee1ac0d4ef215edb3

SHA256
f2f4ab3a7aad8c603949f6e89f82e5ccdb8f00abebf6a6eb870f390004149712

SHA512
1998c4d237eb890484ec53139b45c2f6e7f6cbd6bae5f5f8ada137a3e94b77259fa5a15a6985237bef79bd07623110452483868ff7f2167eab04a5a686b700cb

Download Submit
C:\Users\Admin\AppData\Roaming\e13b453db3b9834c.bin

Filesize
12KB

MD5
b5f59f910fb503d7bf9d390d80214ed1

SHA1
d514c2fe470e5ca864812163a17908a7ecfce960

SHA256
d3092570649340673b4c577e01e2dcb6e40a0c7b90c25814b6ec782b7ad788ea

SHA512
65d7bfbc9fce264aaf466a3d47fb25503fea4cef35cffe57df45ad5f8d7562b252c5cafc6814da556139aa868de4447ec5766d4286d3a2ca01cbc7be51185a10

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
ffc9494a328947406421f7e6ad571b27

SHA1
c1aa5d387a77f9b6c23a5f32cda413e163ace0b2

SHA256
0153f170fd14f01d0c9402e29fd64c2009a587ec56c5e27e760377978ca0b122

SHA512
8e2fb94de3dce3fc7219c607f3337968ecfce365348cc1fbf202e73c9ba4ae5379eb447c5000a5c0a1a19080a1028ddbf3e0d44e154e0f8f38524d2171254928

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
14f1efddc58d3f14303a7dca26151d54

SHA1
ebe8d6ade08dcec2d437f17d97a2722246a1166a

SHA256
7aed60d8edbed69a6b097dfd2fa6f9d8df7c6e51aa664647b0aa089afcc3629e

SHA512
cc953d8331ffc9523b41de5985e2a47cd1c072672380a442236333b3b4c9600563458e9f03373fd8067deb5e79afaf8b126981a4e77d0d5c2e4a1eebb9a46ea6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
2ab06b5e02d0f41b3f36adb617d7cadb

SHA1
6844e6702c06de443f44e80d5f5633bed51ecd1e

SHA256
5ad0a35a5d319302dec920290c34723a7ce71bce303ce4e3c818e19a8589bc98

SHA512
2fcc367dba615e0bf4477b8c0178eb5fd41d13fd1ca731532ae2a6d5c6e072654b1e91cfde5783e4756219c12181405567c1d54e2f855d63b8e818d0cdf89192

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b08b64b558620b6da1dc931f07eacb90

SHA1
d31433d917502795701d600e857226994f470ee4

SHA256
e0c50721fca81670fd3aecd3dede7065d41a9c3a64bb39f9801a24d060ab1315

SHA512
c4b688fdc480d720c889a36dced49a717bca127a610fbcdceee0ca25566475615b601d0f39b85d509aac57a9491e05ece3f424208d4814c583f45b97c2fbfb5e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
78dba7669136855f5a9be3722a1b4dc8

SHA1
4c8431ce9306cc2972da75bc3f38bedf7e1d8f4a

SHA256
b0d553318e12eb30f0abc945674b7a3976af750f702bfca55af25dc94ede1834

SHA512
edfdf1aaf7c93bc35b804e31721a62f28d1ff9b0d27b238a91c3cfde1d88efd0ab42f6dda9d54d92b52954eda9a31b83bef1f214f999ecc5a354852ce2f9246a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
a2c4d062efdbdc68847ee1af2eb264cd

SHA1
ca70a48260fbe75d341c16a5bfffd3216770c67f

SHA256
8ea66bc029e401527a6403057c3498947ad45ca47e997f618e1ecd690c52f246

SHA512
1272b8cb37c1462582e6f9cb7259589b91dea36f18f58c01da2fb194ad55b8764879fd1500cd045b10662b1d11b16d7e7e45b80e71b508e89608b4bafaec154f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
cecea261d8d4bfe4537bff9e8c84e8f5

SHA1
17c476761efd63deafce9c877ea2b0fd4bba6525

SHA256
6ed6be0ac0c60bdb62167d4a5795ae20dd5e84a997500ecde39bf1af827ba899

SHA512
87a4640005ccfdfa2ede592b6a9f72a692e801120a5d0fc375093ed1677fdaf4247c86bdc82ee8d78cd5086ec4cbae3de7be37104e0d1bbbf81ae97551d3075a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
676b847cc0ab64058f8c50205741daae

SHA1
a9fc54808a73790fd0da1767a876f4c4ef70edf6

SHA256
6c6847ad5b5200886679529998213042ef48cd018ab7cc7d5ea486257177edcf

SHA512
0502d0d3c8a196e480498fcad984797c34d2a47b0494c484ed0e7389784633bd666c3ffa40cbd57c44d3aa66b62b9d04ae1cf1b3ff79632462be6e1f22ad54ec

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f004308cd79f4c2993ba416a32f62b6a

SHA1
a34be280010c45829b6c695baa077a84f6901179

SHA256
ec65566c9ee4ad09f04321fc007f35feeb4043595783a328a0b997bcfaeb329f

SHA512
1f182fb4910e0e8e8f1daaa4d2749d46a0c95c730273b1ba50fa2b33519c5b35fade3c44ce1c46b4efdd65565f43c0b2b7fb3f510a1af6a02d44ca753c99519c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b2ac9b8046dab0b26a610ad88f0a0d6d

SHA1
d3d9d2cc18bad210cd8d5b2f10e6719071b445a4

SHA256
653702b98b65c94a7943b55a5712770b4396a2e065318bc53434ec5100c5cfa1

SHA512
5bf5c961947b80e7c3a0497429b6a59025a0d02a1c19f8b255078fe3dac5f64b758ba807b6f1157e0e9d9e4debc572c0020ddfa692a81ea527ff7d7ac11991e2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
00af8ffa2c9a4b1be4905fcfb812fdf6

SHA1
cde80e282dc75792918796ebd62cecdd4035279d

SHA256
8cbc4b1470ca5b833e69b0a826b473f8fa9647d471a5d04b504f5dc88afacc92

SHA512
38f70f0faa75470563b0af2fe2137161db391866b4253931208af0dbcacd1f33c23be0c56ffaefd8337fd4fec508a790092c493845b35a07618d0ec982426da4

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b48e881f3eab3bd07625706d90852152

SHA1
4a812c8ba045c60560f8fbd4a59edf8a61bd3bdc

SHA256
31d61afcb1570149462adfed891ad860f19df60349b310adee2cbd434ed74e81

SHA512
ce2204367f6bc4581dc893feb4bbcdd43367f945be87107c79b69ae8788b6d1b543d969cd1df79450ca1164c5c586ad1f8cc6374ed5c220ec4f19b130598b35e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
bdd6aca5d722620ec39ad5bbea8964ca

SHA1
be41f056a63e5fc59f551737eb8b4673d344b7bd

SHA256
926e854d9a6e43ac196fae8324cab351dfbf1ccad4ed040df16bd0da7fa0834f

SHA512
07432e540c025948225e9e55557b3b7b51d0a89ef884eb9628a919d463fbb0f2d0d6c81f71cecda21cae799b43e974783764c76cfb0130587cb4d20312468a8c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
9f9ba374d0e5b1b7f6cc9451f916c17b

SHA1
b1c9260096cdab0be32b19bb52c1d7ddc292d13b

SHA256
7f56580ef930afed5837a50cc4535451d45aa538e9817d066644b2d378b6b830

SHA512
2094a6d82760e41ab1b06eb1a03f3febd8abb8a4bb3c61b1cfa501114772c065cdca71466f00ba49b3c97da81ab9d4a8ec7368cd710ac966629b75ff1f3348e2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
e8b1e0dc261ee84c5ec28e4184ddc27b

SHA1
e172678e5136f8ef24a1dc4c4c48df196c64148d

SHA256
1d5ed0725c7129acda23f0ce36a6524c755c8dd6dbd6bc6907cda712784a05a6

SHA512
07a8dd5182023d4adf951b196b05f4e39bc505c1be75927696daed335c41476184042d860d9a4ed607d8f0722e5d6e14793774056de94c1b35384fefc54b1c40

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
79023da643ca9e6595122fa076aa2958

SHA1
c42757936f6d2019364fb7edb8b22dc018bf270c

SHA256
365f52c4a2d03ae2f839cfccb4b3d9a7dc9940f42572f2bc8a1e21badbdc7ef6

SHA512
a0c0730b19ecc6f10b4e779ec52fc357f590a266462ce81396cd570db6262f0f9f933100dbe37c4cdbcbe2422a5c5bcbf92859c136e08d5283dbae2aba343cd4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
6ae7cf2ab0ce0288c0dc231c6db4751b

SHA1
769d16793347b2ea07e9fa2d591a695be2d64896

SHA256
8a5e5f78bd380f77399354ea609f1a82b5c9b949b2af9516a08bd64546b3e73b

SHA512
b141ee2f48b3ba8fba5509926afe7cf325da7192ce88ff70309ee812b511fd6e6ddb4566f8b0bcb6631cf0eed929e41e14e952dc9455e109d95cba6c7ed5f4e8

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
2f5ef6a851b11b48c113014e9a9d2cf0

SHA1
c9e0b0c299569937a5c849bcdc0ae4fb115c02f9

SHA256
df767961b8980472d247dc02fba1458777b8a8e836fd2baae86a99dcdb204368

SHA512
5e7fedf74dd2435df4d0bf3f6ffb0d3608e6e10ca31e8d910827f7eb2ced70e2abf4f5da870a3a0c057d9243c1ffe3b8b05c0d939db157f2559254b46eb3b413

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
36ce2b6cad119c81a528c439949cd5c2

SHA1
f635102f17707ca52a99ae7082a91df76d1c4d6f

SHA256
0c090de79661e741558d04a5e53e617bf3a81c1bf4fca885509d6297f59ede52

SHA512
848fe3baf38ddf286b42c0c9a4c443d3851fb681a095e1311d0a312cb84a6e99aeee42f165d51174de98fa6ce862d6851d5ed3c9eff6aae5d323237f48c9e878

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
87063ff846dd8be9fbc383451f22eaf9

SHA1
55fc14d919a3033421eaff7275c11bd1898797ee

SHA256
83ae9c782bfea49c88d9d68528b75435cf499435123b72c671d13486223f7660

SHA512
5b21394a63876584886ca668033557d687b017ab84c706bc45f031aa281dee478eac93b140b5fd3902eac6dae17f4a66763f885e752c17c2d5e3ddb6d958117c

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
2e67498be151a33caac7f4a0790820cf

SHA1
c6e03d8696c8e2c00390f451e226fd028fee4a03

SHA256
7636f3b4c36ff7d364c892bdf366d60592df0efd2793f0cc662b1b6bd1b01259

SHA512
dd3a973d22054ed23c37d15fda952948d5479c82bad4d3b4953d7419e666d11a375d05e82a62a78c8e1260ebe13adaaeea1e4f14a0f51759f21c50e1312ded7e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
2c495c721afd2cbba4f4e8bf9497dd80

SHA1
3a16a1057de7df9bb4ce4e2c4a672fc670916a3a

SHA256
f99bdbbe61cf2b684dd2465e175ad75dcbc8dbd086938002b274f23ef8711aba

SHA512
2f86ab2c2440606af72452f08e3abcbf57f0e5c322d5fc8e04b8bc3188a9eddd35ed81f114139e128a4034f4843231febfc692d95795e0792c2f118e56e666b7

Download Submit
memory/624-212-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/972-153-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1028-18-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/1028-12-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/1028-21-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1028-465-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1084-216-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1320-217-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1420-33-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1420-513-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1708-103-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/1708-207-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2560-211-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2572-9-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/2572-0-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/2572-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2572-22-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/2572-28-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2600-79-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/2600-85-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2600-83-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/2600-73-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/2904-628-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2904-229-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2936-208-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3032-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3032-626-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3032-204-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3032-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3320-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3320-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3716-228-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3716-627-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4024-58-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4024-52-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4024-61-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4024-306-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4140-205-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4212-215-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4284-209-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4440-35-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4440-41-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4440-45-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4460-227-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4556-206-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4556-96-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4556-90-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4680-496-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4680-210-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4724-214-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/5556-429-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5556-489-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5712-661-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5712-441-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5848-478-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5848-456-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5880-662-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5880-468-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download