7e92941cfe4ad080f10571bf5455341d3000069185d90bff98d18469ecf999b1

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
Size

4.6MB
MD5

9179e79b9b982459b27b5a0349b3eb92
SHA1

3c139fa08e1f4f08dcb4761381716876d6f0f0da
SHA256

7e92941cfe4ad080f10571bf5455341d3000069185d90bff98d18469ecf999b1
SHA512

928076e432efbfdc4ca21e01f59c81506e75eaa5dcb9d7db6e9d42b30d67977e63e3fc8287c81b4804ca23897ecc35ac0692b9390ef09d61d8f98bde74dd2f56
SSDEEP

49152:pndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGP:12D8siFIIm3Gob5iEOU3R

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
3144	alg.exe
1748	DiagnosticsHub.StandardCollector.Service.exe
508	fxssvc.exe
2240	elevation_service.exe
816	elevation_service.exe
4220	maintenanceservice.exe
2328	msdtc.exe
2268	OSE.EXE
116	PerceptionSimulationService.exe
3312	perfhost.exe
3412	locator.exe
4860	SensorDataService.exe
4464	snmptrap.exe
1956	spectrum.exe
2040	ssh-agent.exe
676	TieringEngineService.exe
3092	AgentService.exe
4644	vds.exe
3564	vssvc.exe
2168	wbengine.exe
2636	WmiApSrv.exe
3876	SearchIndexer.exe
5580	chrmstp.exe
1800	chrmstp.exe
2092	chrmstp.exe
5420	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\91b993674ba38143.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_108875\javaw.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_108875\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dcf8d37649c7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000085fbfd6f49c7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a22bc7649c7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cbd5f66f49c7da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008f36f96f49c7da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000035f3987049c7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133638257109280505"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000410ff26f49c7da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000d474a7049c7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
3336	chrome.exe
3336	chrome.exe
3180	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
3180	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
3180	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
3180	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
3180	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
3180	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
3180	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
3180	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
3180	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
3180	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
3180	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
3180	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
3180	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
3180	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
3180	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
3180	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
3180	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
3180	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
3180	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
3180	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
3180	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
3180	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
3180	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
3180	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
3180	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
3180	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
3180	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
3180	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
3180	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
3180	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
3180	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
3180	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
3180	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
3180	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
3180	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
1748	DiagnosticsHub.StandardCollector.Service.exe
1748	DiagnosticsHub.StandardCollector.Service.exe
1748	DiagnosticsHub.StandardCollector.Service.exe
1748	DiagnosticsHub.StandardCollector.Service.exe
1748	DiagnosticsHub.StandardCollector.Service.exe
1748	DiagnosticsHub.StandardCollector.Service.exe
1748	DiagnosticsHub.StandardCollector.Service.exe
5236	chrome.exe
5236	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2696	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
Token: SeTakeOwnershipPrivilege	3180	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
Token: SeAuditPrivilege	508	fxssvc.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeRestorePrivilege	676	TieringEngineService.exe
Token: SeManageVolumePrivilege	676	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3092	AgentService.exe
Token: SeBackupPrivilege	3564	vssvc.exe
Token: SeRestorePrivilege	3564	vssvc.exe
Token: SeAuditPrivilege	3564	vssvc.exe
Token: SeBackupPrivilege	2168	wbengine.exe
Token: SeRestorePrivilege	2168	wbengine.exe
Token: SeSecurityPrivilege	2168	wbengine.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: 33	3876	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3876	SearchIndexer.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe
Token: SeShutdownPrivilege	3336	chrome.exe
Token: SeCreatePagefilePrivilege	3336	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
2092	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 3180	2696	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe	85
PID 2696 wrote to memory of 3180	2696	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe	85
PID 2696 wrote to memory of 3336	2696	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe	86
PID 2696 wrote to memory of 3336	2696	2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe	86
PID 3336 wrote to memory of 216	3336	chrome.exe	87
PID 3336 wrote to memory of 216	3336	chrome.exe	87
PID 3336 wrote to memory of 3484	3336	chrome.exe	96
PID 3336 wrote to memory of 3484	3336	chrome.exe	96
PID 3336 wrote to memory of 3484	3336	chrome.exe	96
PID 3336 wrote to memory of 3484	3336	chrome.exe	96
PID 3336 wrote to memory of 3484	3336	chrome.exe	96
PID 3336 wrote to memory of 3484	3336	chrome.exe	96
PID 3336 wrote to memory of 3484	3336	chrome.exe	96
PID 3336 wrote to memory of 3484	3336	chrome.exe	96
PID 3336 wrote to memory of 3484	3336	chrome.exe	96
PID 3336 wrote to memory of 3484	3336	chrome.exe	96
PID 3336 wrote to memory of 3484	3336	chrome.exe	96
PID 3336 wrote to memory of 3484	3336	chrome.exe	96
PID 3336 wrote to memory of 3484	3336	chrome.exe	96
PID 3336 wrote to memory of 3484	3336	chrome.exe	96
PID 3336 wrote to memory of 3484	3336	chrome.exe	96
PID 3336 wrote to memory of 3484	3336	chrome.exe	96
PID 3336 wrote to memory of 3484	3336	chrome.exe	96
PID 3336 wrote to memory of 3484	3336	chrome.exe	96
PID 3336 wrote to memory of 3484	3336	chrome.exe	96
PID 3336 wrote to memory of 3484	3336	chrome.exe	96
PID 3336 wrote to memory of 3484	3336	chrome.exe	96
PID 3336 wrote to memory of 3484	3336	chrome.exe	96
PID 3336 wrote to memory of 3484	3336	chrome.exe	96
PID 3336 wrote to memory of 3484	3336	chrome.exe	96
PID 3336 wrote to memory of 3484	3336	chrome.exe	96
PID 3336 wrote to memory of 3484	3336	chrome.exe	96
PID 3336 wrote to memory of 3484	3336	chrome.exe	96
PID 3336 wrote to memory of 3484	3336	chrome.exe	96
PID 3336 wrote to memory of 3484	3336	chrome.exe	96
PID 3336 wrote to memory of 3484	3336	chrome.exe	96
PID 3336 wrote to memory of 3484	3336	chrome.exe	96
PID 3336 wrote to memory of 1168	3336	chrome.exe	98
PID 3336 wrote to memory of 1168	3336	chrome.exe	98
PID 3336 wrote to memory of 1028	3336	chrome.exe	99
PID 3336 wrote to memory of 1028	3336	chrome.exe	99
PID 3336 wrote to memory of 1028	3336	chrome.exe	99
PID 3336 wrote to memory of 1028	3336	chrome.exe	99
PID 3336 wrote to memory of 1028	3336	chrome.exe	99
PID 3336 wrote to memory of 1028	3336	chrome.exe	99
PID 3336 wrote to memory of 1028	3336	chrome.exe	99
PID 3336 wrote to memory of 1028	3336	chrome.exe	99
PID 3336 wrote to memory of 1028	3336	chrome.exe	99
PID 3336 wrote to memory of 1028	3336	chrome.exe	99
PID 3336 wrote to memory of 1028	3336	chrome.exe	99
PID 3336 wrote to memory of 1028	3336	chrome.exe	99
PID 3336 wrote to memory of 1028	3336	chrome.exe	99
PID 3336 wrote to memory of 1028	3336	chrome.exe	99
PID 3336 wrote to memory of 1028	3336	chrome.exe	99
PID 3336 wrote to memory of 1028	3336	chrome.exe	99
PID 3336 wrote to memory of 1028	3336	chrome.exe	99
PID 3336 wrote to memory of 1028	3336	chrome.exe	99
PID 3336 wrote to memory of 1028	3336	chrome.exe	99
PID 3336 wrote to memory of 1028	3336	chrome.exe	99
PID 3336 wrote to memory of 1028	3336	chrome.exe	99
PID 3336 wrote to memory of 1028	3336	chrome.exe	99
PID 3336 wrote to memory of 1028	3336	chrome.exe	99
PID 3336 wrote to memory of 1028	3336	chrome.exe	99
PID 3336 wrote to memory of 1028	3336	chrome.exe	99

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Local\Temp\2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-25_9179e79b9b982459b27b5a0349b3eb92_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2c0,0x2c4,0x2c8,0x294,0x2cc,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3336
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbf2f3ab58,0x7ffbf2f3ab68,0x7ffbf2f3ab78
    3⤵
    PID:216
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1872,i,7942204451978529780,2210429029570803690,131072 /prefetch:2
    3⤵
    PID:3484
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2004 --field-trial-handle=1872,i,7942204451978529780,2210429029570803690,131072 /prefetch:8
    3⤵
    PID:1168
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2020 --field-trial-handle=1872,i,7942204451978529780,2210429029570803690,131072 /prefetch:8
    3⤵
    PID:1028
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3016 --field-trial-handle=1872,i,7942204451978529780,2210429029570803690,131072 /prefetch:1
    3⤵
    PID:4264
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3024 --field-trial-handle=1872,i,7942204451978529780,2210429029570803690,131072 /prefetch:1
    3⤵
    PID:2576
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3344 --field-trial-handle=1872,i,7942204451978529780,2210429029570803690,131072 /prefetch:1
    3⤵
    PID:3108
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4152 --field-trial-handle=1872,i,7942204451978529780,2210429029570803690,131072 /prefetch:8
    3⤵
    PID:2932
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4676 --field-trial-handle=1872,i,7942204451978529780,2210429029570803690,131072 /prefetch:8
    3⤵
    PID:5444
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4588 --field-trial-handle=1872,i,7942204451978529780,2210429029570803690,131072 /prefetch:8
    3⤵
    PID:6036
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 --field-trial-handle=1872,i,7942204451978529780,2210429029570803690,131072 /prefetch:8
    3⤵
    PID:5368
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5580
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x2a0,0x294,0x29c,0x290,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:1800
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:2092
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5420
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4460 --field-trial-handle=1872,i,7942204451978529780,2210429029570803690,131072 /prefetch:8
    3⤵
    PID:6060
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1580 --field-trial-handle=1872,i,7942204451978529780,2210429029570803690,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5236

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3144

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4420

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:508

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2240

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:816

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4220

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2328

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2268

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:116

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3312

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3412

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4860

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4464

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1956

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2040

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2360

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3092

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4644

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3564

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2636

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3876
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5372
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a5d564abb9f918d833e5dec08ac8638b

SHA1
a341c2431b767513aa11da9590264321ad0218c1

SHA256
b1adb917c35608f5062a3ac9f949f582d857edeafbe0beb52a5fb79766c0e9fe

SHA512
7b2e8247e7e2dfa4878b29bdd01ee011eaddf7575b2cad4d9c3be8ae8a66542c55d4aa042e867a78d88f48cd8a5532b96b0838f0e76b459f00659c1f41e77e3a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
65a5ab5069074bffed9004cdfbff799b

SHA1
06ba883aef4b5c5c47a13eeb57449d0f367ef7b5

SHA256
035fb18efeeceeb1430559859bd8dbe70b1a9b95f884e4fc757ba34d283e32b3

SHA512
107c5a3b2c7f65d4b292d4e714bb45bfb4a0d898dcdc10a2ff39baa53f71ff12285187bb531308aa6c24206c47a1af9de66b832b4a37bbc3812f16dcd6df54af

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
16361f860707d2a2aaf4a2a4f72c62ce

SHA1
1ebe84379b01ebfccc396d6377026e0da29c6690

SHA256
73e1af18715f2fad9c2cf770cc4f63292a4f9f2284b6639b7e14b3d3ce650cab

SHA512
d9896235783c8816a63cbff6b1db7098251887635cdc7fc4d4160a655f4ef1392efe1a42e82c11e306c8410ea917ca10ed231d8594ae747e95b41fe5677e4030

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c87611e7b89476a84bbf44dae73d69fd

SHA1
f637d7768800fdb306760fc0f35a87099b29c402

SHA256
12d4fe7953ba7bdf4a3252e446b7baf67f7f14c96393b05e8981e73f58a2c053

SHA512
1adbdeeda48f6703994b6355de198b2fd3c19fe980bc44e5919cc5a5d5e2c529260acd3d2126b95a7fa5d0a6704bb83e82691fa1956cee0e87fcf2971345974b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
e63364d6f58db25717bb249f0ba0c13d

SHA1
8ff86a1e50a420e97edb39ea1b4e498b686dfe96

SHA256
25fd6de3c86c27f40f5b1183c8ac71b1f0308d3c433a2efad6c7942c5640f0ff

SHA512
95d26c1e155edf5f0235172f98141a475ed7fb866e8ee54b07f3733bf88d5d59de191a82ee0989ec2645dd0788520823784eb8e3203640d1b6e8aee6c15b16f5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
06546762f6a2f638134bf3881670aaaf

SHA1
443f24a85ddb491e3b971042ea53b37286c49696

SHA256
a875182357a75b973bb32a5208fca3b43e74f61cbbb6ecf459e34b8b082fbbff

SHA512
c875dc5036c872138596922df5335280657508a4dd1a583d06951ca72239f371b0691ae11f11152d4fdb4c595496f397ebe7a77cbf3d81490320bb4f9716b65e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
db5b012419e4ba5276f3416f2bd8d982

SHA1
92827f76288e629abea23a8da001ca58f75b7b40

SHA256
6aacaac10714818a08bd79c3cf523b1b18066ece1cf2c2e0889e83b375edab97

SHA512
b50525ac4d8d8b922fedc8a1ebe0cc8dde89d7bea5da05870a62ff7880e1a48d2dc00a341f75df28e4c55e566a1ca5f8c322ebe3ca77ff416859dd5839350bca

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
502f7f1528500a649f296e3c1a06d79f

SHA1
36200f3d83b30996a057b46594fc3df3a72a02ce

SHA256
42fbcd234db88a01e2908e8cff7d3c5dfa08928c98474685204238e837da28a7

SHA512
9ca1731f35b33cf9247fd51fb6a755e0b73030b33301ac8209240cbc724867a030a49e39c5d3bfcb284b91c0c417563365602e99e7a00af415ae49279d9be1b9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
653eeaa6fcdb004aa02aefc8e04ca4c6

SHA1
4e502562e3c34bb66c1841596b81e552472b8178

SHA256
d5e40b099793556e3cd383abfd56ab13666668f0775c041466498197b5044747

SHA512
ef912b8ff68c72d8900c3061195913aaefd9c56d2376c111096c5dbfb6efbdd3876fa7ea48d769bd62ace6fa3540cd9e4f5d73da131c4576988d660ddde52852

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
8f1fb51800c644a0e666334e97b052ca

SHA1
9c60876347ff0604e80f61c61505b2fa5dc8757e

SHA256
45396da856471bae05f35df0e03cc73df06081e29ed41e09d93c9d733b6ec607

SHA512
1382225dbbfeb52b44c5a650e8d6010c244ff1d77e4f8062f29c179771bfe1d7367fa82c331c1138113d3b5116bfbf4580c7ed019321a532542432c4299af429

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1ff683d0e340946beb60783ce0e459eb

SHA1
f517dc675c1c77e58bf99ab30b35be2e6bcc6603

SHA256
c2cf1e05a5888a501aee6fcaa1c4547e164b44f7aa668639841272c4468f81e9

SHA512
61787050c264745dd28f2bdcf32fe3d82453cadd2eb1ae8b7d937953683873ad55cc8af6e6b987b4c300777bd2017691ce49e7307577b5550008a07803830fbd

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
d00ad67dac493c5dcc8ea3cc98f1077d

SHA1
c0c549b26fc72f7685163ba8e0c40e725c2482db

SHA256
23e4a16cd92bd6911210393e682d754c351ff0d1362a8aae0956ed096abc5bb8

SHA512
097ed14b4598c13d7cc2cd107c0dc66c2f5286f37e5354cf85cdfd39b61cc7fe2dea0d7b355b1569df62d5ba95585b92c92e788879c846200653d471216d1bb2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
4b93ba98226126c8d2085d761a8ad035

SHA1
c8a9e95cfb253056d69d2f7d46ce6fd24735a5ad

SHA256
7b9ad8365ca080e0b8aeacb492dc6b7691b6c84f750cfe6db1c2810b211687ca

SHA512
75ae9a59ad215ae245304b8bc27d479e7e8483f336b3a79b7c9e04afaaabd4286ad3518f01ddcfb6ff6c6e0ec96e94e968d25612f0fdbbb9d5b942e21222f98e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
2c8fe324ec744f38f9d614b324eed165

SHA1
2d339aa0223c19874afa3d2edb86529bf21f4bef

SHA256
539e0146a7fc83e142d123eb80a38515254c6393dff94c347836a0f390c95667

SHA512
16810c52e916e92d1f65ef381ca2efd36d466c4f5e728635478537389a9586c750c04a6445824631b02ad82b57ea070c719097f0c04d1b1ea4f0a01569f9fd43

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
955e0fb1c818d2ec41e9a7f8298ec5ae

SHA1
86d84d146e777e880b3f512f9717ef4342f66696

SHA256
3050994e5bcb5e06dbf4c14e5186889bbb313e9f815cbc412390af215b66c540

SHA512
f53a90b3ecdd31874e5406f75e7a620fbfd5e2f4672957c53c0a9fc8e9e340cf578bd5115952507b737264e07db6e015e33416b9c964e8fd460de031be046324

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
22527042e889c2bc96a649a7dbd51228

SHA1
456ba18a6348d66a37ac60b3c6f438aa32fb143e

SHA256
95dd9f3c9d8c41ec95b1cc2e4ed730c45bdb0a61f4e679166cb5d4f3216f9801

SHA512
9a8b68dd69b1271bd97b247fcf80ea8237f15bca86732a9c60b149593d6decf76d711e5e8f05f3c7735aa9444e12f9b134ef13fdcb74f9a68a92bf694e86c552

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
319d945a9f274286cf28202a4aae296f

SHA1
8e4f642a32a8d74029f3665a58164bcb11dfde4a

SHA256
19079dc3681c61bbf4918c2e6d957d2460345966c0d32bf1227d7a7660eae190

SHA512
67cc473918c6b36bbf5e20c19e675859e14b701fa0042aae57fd8ec60c65fdaa38765e38a794a7c35b8e7cd4255b5febca7b3d30730016bb09fdee262f807a70

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
00941ed4a68b8a682df1590f603c14ea

SHA1
f300e4a24eb371c2eed34370db282c4c532f8d98

SHA256
4bba0251a7e83d144a31778e3f09511092ce88e1b334e815de4fc4e84cdfe50a

SHA512
b1174dacdeca785cd9c6bf09b9791e77098415e725e866462f98748e801a8ad79375fe910b46b0e3872519e709de9fb500a905125c8f768f1f3a883604414eee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
efdf336c3d3a1adb92b2ad84b9e0ddf8

SHA1
d12684bf46d8efdc7fe65d72974a64f8cfc83aae

SHA256
a3b64fe67ea4be6fd1cad4f43ab347f08f3c05afd11552101ddc5f80fd3e31cc

SHA512
d47956132f95e0f8c31b0d8e8b23a7748b4fd39b6acf746e65600499bb6dac8bf3ba64843a090e41066de86eadd02aeb9c1ebd3ab9cdee4bd9d7867febbb696e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
05534eb594c72e0efc9d4df9e860c031

SHA1
2711d47865b9d17021e0e460f18b5815d9f3cb77

SHA256
6ed4c3435a5d4daf9404452745d3608eebfad8e38a6b2bbf0b4e4bd25f3de2df

SHA512
dd4855dfa64fb2751e21d8d4be368bbc2dfa6a52bf55e65c7e6bab9a36e7e7a7a23f775b955de583a38b65a2b51ecfd8433d0bf6af4466418bdd4bbd3cc498c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
3027bad71f3c4d49393a92908ef99c9e

SHA1
271102b25b14a40541e295d9af7329ff91358865

SHA256
a409a8021c7448f0b2c7bfa8e13e9adac121ca20d6bf74cc9981df6a056419ae

SHA512
3dec6c3b7b1ddd76b6084ed8c4965027892d821b7f2a4609f5357760254739774bbcca3136c47855deb61b7dde8755a0fa05a2471eccdc9392f8724af79582e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
9deaac4f6d303d73d1191d3eb1130657

SHA1
722182b4deb58886d5921b7960b87924bd6e4c9d

SHA256
f1c68abb643f938dae7643f1c0bdcf95dbd3fa9efc15ca1235062cbe195a0477

SHA512
dca79263b83331dbc3c3bef3d87d1063273ef40da3100cf6ed322e9d4f6c03aa07d3a5ce4092e78372e14b7bdb51b6427909ffd43c6f7fed3fe3b6ab6d53635d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe577203.TMP

Filesize
2KB

MD5
e51001326fdb734e7394cf6934f68920

SHA1
74a5c58398f50ab8cb348ab623ab2eabaf5479a7

SHA256
6df4e90ac1fb8ee68b75eb0f6b8a930a9e812999a273e10c5e5bbe176c435292

SHA512
dabd3ca58ec0bb351def0960f104150364f950ec29c33e090afbe542865bad9e08d2a19113b426f512970df237adc0ad5d188ac9c8fb42b17616630d3578d877

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
00c3efa8705402f40ce63ff8b964960e

SHA1
1214fc6dccf5aedc55e5ef0b783777a17fe64838

SHA256
d496aa5f2ca4f101e318cafdb10a37be5b170171d75a1f3c4c483ac7acaa23f2

SHA512
8fdca6f37ffdfd7618f1dda629d40ed343cc7f18408eb9f66044b69686059a721bf0dba632439483795eb3c84e3d65c99b76e97210445383df9d71f70d5d9f33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
281KB

MD5
7d926273ae325b37c445801eed02751f

SHA1
e00c6be2d617949aa9d028dc82ad798dff993660

SHA256
64d20fab7a2f48949ab0e67cc87369230a58df87ab71c2c2a70829986a4e3f32

SHA512
76452be15e4e3a35227007ea130cab11039daaaf49c7158e83b96ee47a27fd5d12101c4b8a1e0e80aa20e70c122eef492700fde3d07ee0c1ec0bb0bd508b542a

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
d760014103b5624a9ea48856add0e684

SHA1
c0f78c34343bcb343ca771cd64798ba8e1fb53c3

SHA256
79b3cb75bf81120fd3bea22194e2ed52d8a2d9afd9b4e7a67e16ba96457114e6

SHA512
73d367afa7eced1638da463142352af97919b6a36a5588270b718b42f96433332f5ed17d6b2828468855e2f20b6684dcc62a4ce7a0fa416b36d7b0cba671fd84

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
52a7012150c02783f4884a2bb7a9cad8

SHA1
fc7601d91c4853f79c32351fea5a42634c2a8a96

SHA256
25c2edb608fda6474d9b7c46b8b69d1d2a65b0e4b38a8886e2eb663571030ba2

SHA512
284e3dc647d1e702517fc58dddc52a39fdcb5cf62264def80f96ff35fee331e7d3cb1745de93ea497d7f14cf1093fe47c74ba1f03a698000352cddd0f85da84d

Download Submit
C:\Users\Admin\AppData\Roaming\91b993674ba38143.bin

Filesize
12KB

MD5
5be48f0386a863a4594ccbe61547e5d8

SHA1
654acd4124400120dccc86d79602e41955db0315

SHA256
29f79004d3aadea3c961cbae6a4eea38d362fc791fd2182d795a93b295ef0bfd

SHA512
f58d8189b96ecaa9a946a33b0f9c4fe5754f0addd5edbc7b8daa082a62d0cf8384ab6fc6bbbe6138af445dcd7c7a59e8b2bcf4f3a834ae7ee9c98bfae150f5b4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
a653bfff510f339753ee59e001ed009f

SHA1
ee3b433494c9f32bb63c949579c87e0ade76cb52

SHA256
55fe76b1c9c5cdabab38449075599492eb34e1ab2eeb28f640234410f672f0b6

SHA512
69650b8810c7570d995dc9e5a93576604d580c7a2eb691a5267e31afb3c2f3b9ce60963b5e6717fa94026f1af5a6551278321682a0f4fadff386960481cdc81a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
f831b4336b702f738d0992eb9caee516

SHA1
372d9f49d4f57e755b3654ba12e4eaf1878af691

SHA256
d29aae1fd9036809218b7aa114849c1ac0d86bb842b37a513a3dd8c0d3d50dcd

SHA512
2bf686ef6db53347a444b52a5c9492525d62e84f3ddcc7dad03abcf70a84a3368582a04986568f23a4a4f3718dc3fd2841db486ae7cca05a401869755354acbc

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
118d42e210a3dd934064bb0cca14289a

SHA1
89a15e03bd54b980667a38d879c83d150088b93f

SHA256
e3eb9d18cf66d78ba9e49ea13c1f03e60dd477cefa5e3b68e53610ffdeaec85a

SHA512
087a2bd12bb62728cb6a8a74142d134859027e352900fe7d62619c0e21d61b743b3613f589bed3081cd1dc0d44bdfc5d7b3d723f03e740e6b26b51b9a746d682

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a24f3aa7c789e7abb91b4eed6ccb816a

SHA1
f519d81fcb8665b466f7132017045073bd6393ab

SHA256
26b5b71f16e2cc7fbd162c7f5b2e75ca5de355533c7e5d9c5bf7e0073880f17f

SHA512
b2ba3696f2c7363b058680e9e27552e5dd40c1ab988088457234be10c7abb252cb84ed076e3d59ef20d817f302fd4d66510a5cd1dc1fddaaee197746abcd66c9

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
8875d85519ee60b002f6f93c0c8d24fc

SHA1
f26dcce8538fee25425d7738af48ebc44ed198d1

SHA256
1b4c0fd745986b521b59e0108a0f360c623dce1d3d8f2c19d92d5354b37de1b3

SHA512
da5599cb463f0f41e39c0ec2f24cf802ab63d47880839fbf09a238705dc15c1757e426227049c2dbeb7851da1835b85e1ad7cdb4700f531970dac1b216f7c5fd

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
25765035448890cfa31db42d7660f166

SHA1
efbb642c23426fd5601806f453e79f85bc10a33e

SHA256
ce7a8fd157d44039251668ef31a398383b61a5e1a6c128e2f9dfe982976a81fd

SHA512
c8d3017649830f60ed8c8f059a7c9fb5a27e90381c32dc25163cda8f703204ccb0611229a786e1b65ba6e232c5e284dd47e9806c3d80e3a5e35ff3ea4b7291fd

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
8583ae84a9ca40ab01ddb92e103bfe1c

SHA1
df1c8ef462fd0693b2386e3b5e2b974959ee86bd

SHA256
3ad611715b90bdadedc6d13924d3c682358524cf4756b854ceac0e443daf0a83

SHA512
cb0657e0fcc0b21be7cb1f8a1af25bf11aa6105ac8a53a01743b6389cb93390b1b2e96355ed8ee7be83a7be3979cc496159bd6e9180b19a79d3dd1c21c8fea25

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7e9f66cf63bcd341231a4cf752d7f61d

SHA1
d4dd09ffb3a24bc7b9b2e9512ef2b0c39c082b71

SHA256
6d6a6b0818a30303d47340c1523b1e5ae56589f974c1cd481c13721f42297ad8

SHA512
dd645e58df96bf19f1f2b54d11fd94aa802217cbf16eecad8c69e7ee9d8e6a327e6d676d9feef24e815c20d7d0f51b961d9b8d1d98b41e3cf5f58ec98dd024a9

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
21ae7f4c3091c858d78360b9815ee1d9

SHA1
a4fbc2428b4ccfe6ab976467a4671d0637804ad5

SHA256
b09aafa651d48d2492fb6dd03b224290945f2b772d720778230593ac19c5a5cb

SHA512
0fe36e8941c52232e5e8290f646488bb052e59403315359e1954bd73c94ec44dcc00544abff7d07c71ad4e188b6f8d1ffabeb35e737623aa4fd8bbcfd1bcf085

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
7869500a98a98f5c6a6709129947fba2

SHA1
28e4f6e2c9258a62a88c1c9837fdbd484a443ded

SHA256
d46fbf2ac8e17abfa0bab88ed50089df6e15a8548294097930e3d29cb3fa96e3

SHA512
8291cf982de2e56376b96c12075ee6a888071c2564aa4f65125491d71ab60e017b9efd72d962fbd3196d939779f291dbaf66b7319dd02dd1c582275bab936d9f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
ac400e2253dbd49f9b311cc2b6672529

SHA1
24e60af081a372b2ea755dae651acc14221ac241

SHA256
d6c5ca2d95ab92091eaeef8fa1017fd3cfd07f8d4a5e8b337364403467487445

SHA512
6256699a0ce29df0bccca094d3976fc1df32d2cb4a25cbe09d5af2cf2b885117eeed13744608cb36810172ca913f158ddc4568ab00fa98d27c8ab0f182d6216b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
468a251fddefe3cb98a55cf30a28ff7d

SHA1
a51cc46734b4737e91b2935879e774f7b3b07853

SHA256
83236857f218eb890a0b962893b1a06cbae128c49d10b70e16cda244a21e54ac

SHA512
104e2b4d72fd4c18489853da9eaff995c1b29860b4db872f3004c8d14b5dc874085b4d754b268c4657c27e71f4e2f9402ab5eb6d70504aa04d654fe65bc0048e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
4db78cbfc0cf51bb4a1bdb4c39a44819

SHA1
75311a465e87ac2fa837d2ba46b41b6b200dc4ab

SHA256
cf010da295c025635d8bb16c5a4d5fd78ba15289726f47168defb20888b628a5

SHA512
2075386dc3ee36b796317a7a82564e7119b2a313b824e94b76497fdccb7be8703af901715c381fe3c84d1a946e4dcf325d31d02ed407c6b94a61fa3d2f6e7ccb

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
b257a105a92937c6cf9f13655d53f87d

SHA1
392b26deb7da22efc74a518fcb1fa8015721eef2

SHA256
8bbae8219197c4211dc9e39550e1c88e1a797da012c76a5cfa1c37b3ef2c0660

SHA512
a4374a51e69b19aeac7fcc163309523edab0668f39f50d76879ff8c6e68b29c821510a613a35ccaae238fb40835eb3bf6d488141558c2f24b97f1468eda966ac

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
dc994d745d4058314efc897644945bd3

SHA1
cfebef058b4977845ff5c31e17427db3ded28692

SHA256
791df57e81e73b8e799c022f555cb26bb861a6bae7d0c5207a028ed870b604a3

SHA512
5b01c46083b6741ea05718da2a15a556e812d361f94b2c2d269729e82e7de29556e7b7800138f4db7e616e4adadb73e2091badf8b051a9b74d3933744bed0020

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a027a9d40826d3a09fdb9f4af9b4c052

SHA1
f6fe490c2ab87abbcc964ac5dcf97c95b4f103b2

SHA256
8221f9d5f491d1719d14d24bbdb68c76971e2b5ae713e9dd06643d834075fc39

SHA512
3883ce089828b9ae9999a6ddc514e77fb15fdd986487457ba3dea25f04b18943e25fdaf2355799ddd7bfb21deb5d71fac21508cabc6046f0732252836393bea1

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
7d901d64d342c3e91cc2dca5548ef787

SHA1
bfa50a9706752eb4324f2a3064c2b5c3f2030530

SHA256
ccbd254c2d955e2c3a56a3028fd09bd10e177e858398be0545e63f8b6e08cce2

SHA512
dfbf58c81248a67673ff7b629f2b07eb2b166b91b70dee4841bb3811b8e03b9657ede747b70937351ae7e8761afacb1def2289776346dc0070df5fae2dcdf833

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
bb36667f9fa009e333ac7b4bc9724b7d

SHA1
51ac0f540387a16b20b51e7f22aca0285eaa7e69

SHA256
7c28307888ccfb199ad9903165fada70405c364a1edd84471c6189b97a3c57f7

SHA512
9778a82557c95306ffba0ea425da59379313400be1a1191f8f5102824ce1a57575c50d2edcc9770c607412be1e7e9df0c4e16892258d70920fb54df62b351545

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
260b0e3a53746be1616919a463e54706

SHA1
b9072f17d21fda3f40461b4914c6db71da4eba8a

SHA256
fb43de18f8770ea8ba236b039f9921a267775967cea473b62e288161988a1309

SHA512
3963fe59b81b64a12fe5890d0dbc1154c574995dff77133c4a4477d76bf4f6fb6556f4cded428381936ad94494f94e3374413d500b2cf115740d80080fedf434

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
08b62ce3e55730551e078ef99c483384

SHA1
b1e8315fb52e7f26c308ae96fa80dd0341aae922

SHA256
b61226048e323114b84437705bb3cfce3518a481c7af8a0aaa6e23859a3e000b

SHA512
5043d839287390022985d1bb11491fbfafd6558dbbe33634296af2f96345661cfc60c7dc955f5583f8910c3194099f6463c822d3237e0df752dbc031ee562e3e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
0a2e862ffc4b7b5ab04d00a352a872c9

SHA1
a7ec9e2eb4748e8357af548502636f15ca8c98b5

SHA256
67b0e11a5d10823fd637d1af647e6251b6761b94421ba618796f6d034f03001d

SHA512
545c65060004ecf61ce5d1cae26405cb01e53e421848843d75d8453b46ad14be1ad74f06362e01d4d021a4d13c44f2463e2dce164de532bf08877a2de7c51afb

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
2a874dbdf8b774e40247dc01e6c896dc

SHA1
5188232719aaf08b6889b676fe10d2da7aef51f2

SHA256
1a82570959a0c8a39aff773f99109d92a8f4971844c3ae8f13f213257e9fb24f

SHA512
6779212473526a5d8f3d12c344946bf1f652dc3d714bdb2a89029756e48536f317cfc0b981c5732fd2bd1264241796ad2d57feeba51e9c2767b5fe0f21cdf1da

Download Submit
memory/116-580-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/116-118-0x0000000000B60000-0x0000000000BC0000-memory.dmp

Filesize
384KB

Download
memory/116-126-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/508-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/508-70-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/676-242-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/816-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/816-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/816-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/816-431-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1748-56-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1748-35-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1748-41-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1800-613-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1800-419-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1956-167-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1956-592-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2040-241-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2092-462-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2092-434-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2168-245-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2240-54-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2240-147-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2240-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2240-48-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2268-115-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2268-111-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2268-105-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2328-103-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2636-246-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2636-595-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2696-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/2696-6-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/2696-30-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/2696-0-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/3092-189-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3144-399-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3144-27-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3180-11-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/3180-19-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3180-20-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/3180-143-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3312-588-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3312-141-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3412-591-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3412-144-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3564-244-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3876-596-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3876-247-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4220-87-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4220-85-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/4220-80-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/4220-74-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/4464-166-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4644-243-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4860-165-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4860-505-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5420-614-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5420-444-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5580-473-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5580-412-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download