d65a7c95812b108c416354bde890821ddaab3a3991968fe73afc66e1425464c3

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 19:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
Size

5.4MB
MD5

12633174a320bc7fc91720ebd0ef5ddd
SHA1

171524e8af2e98a3c50e81eb53d7f32678bdaee8
SHA256

d65a7c95812b108c416354bde890821ddaab3a3991968fe73afc66e1425464c3
SHA512

0f2e3e464bbe8a36c0fcbc1732ddde5bb6b7cf908d293dfcb2b779fd9cd5901d604535da8f18341947f0538617766e9338779e9ee7bf9768273892c4b33b410e
SSDEEP

49152:H0kwIi7c4xZlm5knEtw99Kn/2vim7vgv6m+yyJ/0gbvjy7yY7BHi3u7L/gBUUWLP:rwfhY7g/rLO7yYA3awr341gZD527BWG

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
1912	alg.exe
2220	DiagnosticsHub.StandardCollector.Service.exe
1224	fxssvc.exe
712	elevation_service.exe
2548	elevation_service.exe
2632	maintenanceservice.exe
3672	msdtc.exe
4916	OSE.EXE
1420	PerceptionSimulationService.exe
844	perfhost.exe
4364	locator.exe
2576	SensorDataService.exe
208	snmptrap.exe
3716	spectrum.exe
1692	ssh-agent.exe
1568	TieringEngineService.exe
4288	AgentService.exe
3660	vds.exe
3032	vssvc.exe
2120	wbengine.exe
2060	WmiApSrv.exe
4424	SearchIndexer.exe
5396	chrmstp.exe
5488	chrmstp.exe
5604	chrmstp.exe
5680	chrmstp.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4bfa3f6026e8edb0.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	chrmstp.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{80279D00-E918-45B7-8FD9-5E902C3B5EF2}\chrome_installer.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_84546\java.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000058cf82cdfd14db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004392a6cdfd14db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000032053cdfd14db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e86b9fcdfd14db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000001f86acdfd14db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3368	chrome.exe
3368	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe
3640	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4280	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
Token: SeTakeOwnershipPrivilege	3628	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
Token: SeAuditPrivilege	1224	fxssvc.exe
Token: SeRestorePrivilege	1568	TieringEngineService.exe
Token: SeManageVolumePrivilege	1568	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4288	AgentService.exe
Token: SeBackupPrivilege	3032	vssvc.exe
Token: SeRestorePrivilege	3032	vssvc.exe
Token: SeAuditPrivilege	3032	vssvc.exe
Token: SeBackupPrivilege	2120	wbengine.exe
Token: SeRestorePrivilege	2120	wbengine.exe
Token: SeSecurityPrivilege	2120	wbengine.exe
Token: 33	4424	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4424	SearchIndexer.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeCreatePagefilePrivilege	3368	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3368	chrome.exe
3368	chrome.exe
3368	chrome.exe
5604	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 3628	4280	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe	82
PID 4280 wrote to memory of 3628	4280	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe	82
PID 4280 wrote to memory of 3368	4280	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe	83
PID 4280 wrote to memory of 3368	4280	2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe	83
PID 3368 wrote to memory of 400	3368	chrome.exe	84
PID 3368 wrote to memory of 400	3368	chrome.exe	84
PID 3368 wrote to memory of 2044	3368	chrome.exe	111
PID 3368 wrote to memory of 2044	3368	chrome.exe	111
PID 3368 wrote to memory of 2044	3368	chrome.exe	111
PID 3368 wrote to memory of 2044	3368	chrome.exe	111
PID 3368 wrote to memory of 2044	3368	chrome.exe	111
PID 3368 wrote to memory of 2044	3368	chrome.exe	111
PID 3368 wrote to memory of 2044	3368	chrome.exe	111
PID 3368 wrote to memory of 2044	3368	chrome.exe	111
PID 3368 wrote to memory of 2044	3368	chrome.exe	111
PID 3368 wrote to memory of 2044	3368	chrome.exe	111
PID 3368 wrote to memory of 2044	3368	chrome.exe	111
PID 3368 wrote to memory of 2044	3368	chrome.exe	111
PID 3368 wrote to memory of 2044	3368	chrome.exe	111
PID 3368 wrote to memory of 2044	3368	chrome.exe	111
PID 3368 wrote to memory of 2044	3368	chrome.exe	111
PID 3368 wrote to memory of 2044	3368	chrome.exe	111
PID 3368 wrote to memory of 2044	3368	chrome.exe	111
PID 3368 wrote to memory of 2044	3368	chrome.exe	111
PID 3368 wrote to memory of 2044	3368	chrome.exe	111
PID 3368 wrote to memory of 2044	3368	chrome.exe	111
PID 3368 wrote to memory of 2044	3368	chrome.exe	111
PID 3368 wrote to memory of 2044	3368	chrome.exe	111
PID 3368 wrote to memory of 2044	3368	chrome.exe	111
PID 3368 wrote to memory of 2044	3368	chrome.exe	111
PID 3368 wrote to memory of 2044	3368	chrome.exe	111
PID 3368 wrote to memory of 2044	3368	chrome.exe	111
PID 3368 wrote to memory of 2044	3368	chrome.exe	111
PID 3368 wrote to memory of 2044	3368	chrome.exe	111
PID 3368 wrote to memory of 2044	3368	chrome.exe	111
PID 3368 wrote to memory of 2044	3368	chrome.exe	111
PID 3368 wrote to memory of 552	3368	chrome.exe	112
PID 3368 wrote to memory of 552	3368	chrome.exe	112
PID 3368 wrote to memory of 3560	3368	chrome.exe	113
PID 3368 wrote to memory of 3560	3368	chrome.exe	113
PID 3368 wrote to memory of 3560	3368	chrome.exe	113
PID 3368 wrote to memory of 3560	3368	chrome.exe	113
PID 3368 wrote to memory of 3560	3368	chrome.exe	113
PID 3368 wrote to memory of 3560	3368	chrome.exe	113
PID 3368 wrote to memory of 3560	3368	chrome.exe	113
PID 3368 wrote to memory of 3560	3368	chrome.exe	113
PID 3368 wrote to memory of 3560	3368	chrome.exe	113
PID 3368 wrote to memory of 3560	3368	chrome.exe	113
PID 3368 wrote to memory of 3560	3368	chrome.exe	113
PID 3368 wrote to memory of 3560	3368	chrome.exe	113
PID 3368 wrote to memory of 3560	3368	chrome.exe	113
PID 3368 wrote to memory of 3560	3368	chrome.exe	113
PID 3368 wrote to memory of 3560	3368	chrome.exe	113
PID 3368 wrote to memory of 3560	3368	chrome.exe	113
PID 3368 wrote to memory of 3560	3368	chrome.exe	113
PID 3368 wrote to memory of 3560	3368	chrome.exe	113
PID 3368 wrote to memory of 3560	3368	chrome.exe	113
PID 3368 wrote to memory of 3560	3368	chrome.exe	113
PID 3368 wrote to memory of 3560	3368	chrome.exe	113
PID 3368 wrote to memory of 3560	3368	chrome.exe	113
PID 3368 wrote to memory of 3560	3368	chrome.exe	113
PID 3368 wrote to memory of 3560	3368	chrome.exe	113
PID 3368 wrote to memory of 3560	3368	chrome.exe	113
PID 3368 wrote to memory of 3560	3368	chrome.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Users\Admin\AppData\Local\Temp\2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-10-02_12633174a320bc7fc91720ebd0ef5ddd_cobalt-strike_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x14044ae48,0x14044ae58,0x14044ae68
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3368
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa1ef9cc40,0x7ffa1ef9cc4c,0x7ffa1ef9cc58
    3⤵
    PID:400
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1924,i,16157075565727807210,18005886758929413510,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1920 /prefetch:2
    3⤵
    PID:2044
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2144,i,16157075565727807210,18005886758929413510,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2216 /prefetch:3
    3⤵
    PID:552
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,16157075565727807210,18005886758929413510,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2276 /prefetch:8
    3⤵
    PID:3560
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,16157075565727807210,18005886758929413510,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3152 /prefetch:1
    3⤵
    PID:2332
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,16157075565727807210,18005886758929413510,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3176 /prefetch:1
    3⤵
    PID:4492
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4484,i,16157075565727807210,18005886758929413510,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4508 /prefetch:1
    3⤵
    PID:1640
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4672,i,16157075565727807210,18005886758929413510,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4664 /prefetch:8
    3⤵
    PID:3388
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4668,i,16157075565727807210,18005886758929413510,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4800 /prefetch:8
    3⤵
    PID:1084
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4744,i,16157075565727807210,18005886758929413510,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4736 /prefetch:8
    3⤵
    PID:5304
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4676,i,16157075565727807210,18005886758929413510,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4748 /prefetch:8
    3⤵
    PID:5360
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5396
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x2c4,0x2c8,0x2cc,0x2a0,0x2d0,0x140384698,0x1403846a4,0x1403846b0
      4⤵
      Executes dropped EXE
      PID:5488
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\initial_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5604
    - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x2cc,0x2d0,0x2d4,0x2a8,0x2d8,0x140384698,0x1403846a4,0x1403846b0
        5⤵
        Executes dropped EXE
        
        PID:5680
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5176,i,16157075565727807210,18005886758929413510,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5164 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3640

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1912

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2220

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2304

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:712

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2548

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2632

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3672

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4916

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1420

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:844

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4364

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2576

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:208

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3716

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:744

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4288

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3660

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2060

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4424
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2052
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
757f7a6ef59d6dc7af8b8d46f460706a

SHA1
5c07ec000da7392c810ade57f72c6a56e1356b41

SHA256
9af48e5d3827711c9b84cb68bd91a4704bf4e219e937b87166424d76073902a0

SHA512
412f8fbc116c7bb594bd0f67c7e5e8b23830e28a6995fbf63de659570f59796166ac1a64324579358fd6369b94a1b73f166dcf021123f440fc1ef0fe357607c5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
29d641008b2eadc5b833c9f25e3e2336

SHA1
0b267fe859268f4fae14466f23386a3d2d82a9ec

SHA256
40058e6d4d4edbaa3676d148e5cab3a6d7ab8804fdfc91e0afad5c9b2aabacef

SHA512
3a93c55a82a3c4b394db32e880e11d82ec9408105b0baa0b7f07b06aa8009ec5520ad0b1090cf577a304dd0225687644f3ae6d1691e3b9728755d824d8a47555

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
d552d379b67c959975ea5bf7dbc6bfe9

SHA1
d4d0ce77b177c473aae4303dabcb1a66470996d4

SHA256
86041ad5ab0200f0c99a3d0ed436be10da4ca63d32e888e66de007ccd654ce57

SHA512
ce13722676f45ad06e90a4243823cd9efb4eda21c0347cd7c0753c1a84d476541b386c4a0634ddddcff2150785f7993f00d6eaca787f58af812f9bce49f7590c

Download Submit
C:\Program Files\Crashpad\settings.dat

Filesize
40B

MD5
8e5c20eaadc9da88f9d35f5162be2408

SHA1
f1341c00c8651c1a7ab450b0c614722c5881b4ad

SHA256
fd3704a96d2cff1ee3a66d0eb9f322f0ba2bb92ac4292004c6a65218d2835f80

SHA512
8d64cce2d908e2e214deef2efc74be10d28b3c6f7b94bf4ab502019a52671c4c010d4eeb1f9865d77615c6737edf1b27153201d3dfa5ee4540d6a567679402a5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
0bbf897605fbc312a53afdeeb275134e

SHA1
411341347b291b5cd7a1de9af9743448a093b8f2

SHA256
11800cea28f097b1866c7d8fe22d54fdcf6662e462ee808aa3f089caec02de8f

SHA512
de4d4ef695eb141210a06a641dbc3122c71c72f53e5c49f019a2a482b46466b52dff15964d7a010d6004f43162d9967896796298037db63a5358fee5962f228c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
0a0a474dc415e2e74dc1032e5fa7ee4a

SHA1
e0d92ecdc23b89d68c2b9a139d2c5d69863f8fd1

SHA256
439f3a5e46f42846d8519c921c29031026b940a8fdbd8ae81abb83a17d50cdcc

SHA512
957c361ded13650aec5888028f34e6ce2d4dae0176838a1fe0b5be8a6722c899418cdc45ac785cf3c0c06e6a1de560a1d75ee39fbe25c802d1c52298dcc723b2

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\b5108072-d666-4880-90f6-9b43fa92911b.tmp

Filesize
520B

MD5
d7bdecbddac6262e516e22a4d6f24f0b

SHA1
1a633ee43641fa78fbe959d13fa18654fd4a90be

SHA256
db3be7c6d81b2387c39b32d15c096173022cccee1015571dd3e09f2a69b508a9

SHA512
1e72db18de776fe264db3052ce9a842c9766a720a9119fc6605f795c36d4c7bf8f77680c5564f36e591368ccd354104a7412f267c4157f04c4926bce51aeeaa1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
af2ac817e91cbbc9f636481382b93e59

SHA1
894ef7346e32f322bb069e7b352e501bdfe9d60b

SHA256
a792c41e8f33b310d4702758b37ab67a8ee262d24a8d1c85121f4a00ccbc0b6a

SHA512
d8a5a59f87ac493f187a0609972e1e5b05ce579c1879df5172f24c66429d58d7f587b5dc440c3fea3a7b568ff1455f8aa73e8524ebf4d03b537c63b8850dd932

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
2142a5ea597050934d5180821a6951e2

SHA1
e9420d5c83a40424a6e37b3a6c89ef251d62c464

SHA256
eaf6e7296d2d6c78f99a8f3db2ad17b61a47b7837e6cd35d931dc7a8352aa172

SHA512
f1cbc129d3c7f1af9e65b7b5b100c12a1e8d0f7143caa6b9ddc1a3480888a1489176fb692f472b520c26a3f98f3f71a1110831ac2796b777bf752ece153d0d0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
a8cf54419129b874864cf206392ece0f

SHA1
2d8f78e5d6951faedba3257d5794227f34c50967

SHA256
b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f

SHA512
02a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
91231152a1d9728c10eae3e91c43c26b

SHA1
24a4de84f684a5f84e7119e29ce1a4752e3df9a3

SHA256
c56582488d46c1d2afae199a7bef5c788001ed2316075248eff726204401f087

SHA512
83db9c8e7ddc56deeb25da7ce5c4e0edfca6af409e7c05f024c474250fea2225c4bcd15451f292fdef3910fcb1bd3fd4de7b0d920dd57f575e6dc40739d65219

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
28eeb18d16d63d687a456fd2be89d690

SHA1
e5fcf54ad83b2357bd40bb977e5a57f8d3df9fd2

SHA256
f784a772fdd9ead7cedc0965ca8beb935af7eb2d7dfaaf399b1009578b69e2ed

SHA512
9925c7d7971083e5e7a97f33b04f2d61478dbbd0b816a3c3d54d764d7035d5f38673cafbf9a635eadb6d788873e6e2f80aa1ed174b5f490d42af3f25a0cb5c25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
9299e00bf442a98c3bb8bbb549a94bcd

SHA1
204cd932719bd763bcf71026f8786f069e6d5323

SHA256
53e7fb28a64c0aadcd8ffb2611391e1392a5056177c1da0263326ff8b516c28e

SHA512
b06e1f47910593b0362bd0da50ac07391420dbde151c55ebc9cdf5e6189e2d6724ba6ed710d5aad2f5cc981de5707c1b0d8750ccea88cd8f18ec381dd9b9d65b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
85747bd248cd61ed9b3e8a79b0f4b86d

SHA1
acc7a9cf24db6b5fe0d68932d061672fd88abda7

SHA256
b38cfa05a07d54b41c5972a159bb69e533205ded7c09b02566811999a1499c55

SHA512
15978da7809cc4259f1a9a5a2848b48d36b10219bde3ca5f1767f64f8215733ac2375c68da1ae20d0606b62568ec9cb198fa6aec17172c0427ffb69f2c8395b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
62ce89441cee0a4ab5b701425c033546

SHA1
63333d349b45f13d74ec7c5f7c6cbaeb99c04db7

SHA256
2377173f7242eb1e8990e3c9a9f052f5168104ec94c9d23caa76705ac88bbfd2

SHA512
55d0dea65e819d83deb0b6eec963fdc757331f5776bcc817a38be4bc168244a4b856f05cd2f73ddb9bbb21f3a58488a89615c891e8a9575c78100a648a20f738

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
bfe28bdc6b0161c97cf2ad4a7037cec5

SHA1
2fe8ea2c83ba86f4ff876c42869c16b3af963e0c

SHA256
f365a3f0328fb163c97f50d811cebceab3c731cdfde121be3c7cb2e5d5d4c910

SHA512
1f3e90d4cefa6e844c7c4ad297797f67d1a803a8680db27acadbb802d81191875ec5eb1699944b1772a5375681791ffa20400dbb1844c25e271dfa38f61bd6b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
285f4fe3006a1c86661390235718626a

SHA1
44839d21c9c3737775d0ca7f770c2ee90ba27902

SHA256
48caa7f71cbfdfd59741b64f923481f7dcec95dacf57def13e5a874aa5b21bda

SHA512
b51e2abb1e2d9778984804cb0c5adac5a18ef94eaa33b6386c6a93e3a8dac31d684b3233cca222b1649e313b9cbf5a9bac678309f6878a3ff6265bea91efac48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
eda8202532c7582f729ecdc5eb4ce0d0

SHA1
a7cd08946e4bc73bd494094e77e3d1a91a12cb12

SHA256
342c601a126829e93ba8a29dc007dc3e74c299df02f6cb98790dcd2a4ada034b

SHA512
b96d8fe43ad84c7e260680c221fd275bfea4c0e8e7b35acaba7c68d8845e44f9fa979aaca3f51cd14fc9d67cec8885459c5793cfa98daf5d0bd1fd75fe41aee0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57b565.TMP

Filesize
1KB

MD5
23bb023b6adac4f5f18c89712847c051

SHA1
1024fc50d254d66a2db93c8aba065e240357976a

SHA256
f43fde6f54ef360492c2f86144e14fc7da2a0793464876b0db7d794b14a6d9dd

SHA512
186f7c9f0048704cfbf27bcb37d312ed960f2b2509bab9d4e577b0927f415e9fc9aaa6a7d325c8231628fa7f043192a636438f1805481977a22d7ed0b2f336e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
26dc0b7be0d3176bbce31598ffda0812

SHA1
fa26ca84cecfa6015ce4caab3c1747f6d636c987

SHA256
f4c2fd8a389ccb9fe9d6b0103c44982502f6716be6e63f335acd63662b59d900

SHA512
ca93a1aec920a50ebf5d79ad55904233768efb7cf9a13176a34aa913f4db7066df51c9c7af1ed7f5cd6bcfc706a2dd106a616c27ef52ae4c971b48449bcdf27f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
0b16370a49c3c9241fee4cb496cb29a2

SHA1
a4f123b371342f1ffbe1d176055017c300efbd1d

SHA256
5d4dc6eaaf25389c906d322ac59d1e6ea8b4336617eec7a6c18898d235e594c1

SHA512
39f6d6cec265e4ba67dcc53c55c92ad32f382337ad9753b6eb534ece904207911545ad0b9c50602dbf80888ce0c72cd1d2515fd918ed3d7aad338d2d49baa83a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
ec38a36cc1fc623859ac325859a5bf2e

SHA1
10f4c9d8a119f20eea830d0e6dc8c2bf3ca1cd10

SHA256
46b8df0a35b348eb6056de0152c01ffe1c6b3db2189d9cb4407801689daf651e

SHA512
17178aec40adfac9a5d5cb1ee19f49c26d264aeeee7b7f93a50efd25e0ad69c242b6a5af9215c41db73a56a23e12833cc9144cf9ed4c4442b13ad970c6db4a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
313b5175d68a8327a02e164c5fe3096a

SHA1
6574bf271fdc2c876aecacd7f7f91492b5f3cfd9

SHA256
0d4e6a557adf7b88aaa5c9c2c78650d31009826c666373378748cd67f180e8fa

SHA512
bc13d08c2b3cd1a6a91cbc2cb2d0e9e6a9e803becaf1cfe6aa4d913266afbfcf1ebe28e7017e625b0bbc9c4ed75f672371e3fef2a09a71c633de66a5756056ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
4463511d92a61e91c3921934a284bfd9

SHA1
367b8c4d9be446d6bef63dcd76c1fd7d1f2fca2d

SHA256
73000fc992a6b527c555a364b221cf8ec7dc047b3ff786bdb357e4a9885109ab

SHA512
7922d7a6166d632c9664f9f46970fd9fc04e9b5cd3307dfd0c3acb2890ae8225ee9d4eff89725d8478821c94f041248ba573069965969b8bd4b4bb26d416db48

Download Submit
C:\Users\Admin\AppData\Roaming\4bfa3f6026e8edb0.bin

Filesize
12KB

MD5
c990e9c5248674b69f4986102ddc0176

SHA1
0d5b735658ce5f5108211ba9ccadb3ca8f40bb0d

SHA256
4e6163c112ff5dcaf16fd6172b9f6d518f447391d4f9ec5990dd4f5a2fb1267c

SHA512
321cc50bdb9c74008409aceff249b7bdddcd709e5a3496bcf269006dcc77a2849077207975a612e2e8ae33f441f12670cefea07556edfb8246e9c3abe85b2dbc

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
3caf845d2a8d91d440f1baf177417a9a

SHA1
dd0f969e2f2be204d226f93b5a3e3aa35c13e39b

SHA256
1b9f236f3ea63f9a2912a86d1edf5e079567f627162c1e8b5146972af6e5ec57

SHA512
46f3fc26ea80c0b5cb6469f5eca60251e608bb6b1eeb0d32ccdef49bb7776e89c9f5b92b9f929f0b7ae1e7e040d10813c73bcdb94486f8b4ead8df14b0f46e59

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b10d260ca73ad1e82dd4aae99fce0679

SHA1
b9626faaf96751b3d9607bfcd59c9b4a732b5abc

SHA256
ccd3aa37f0ca9de8342bab78984ce4f97ac27f3269fe182cedbd1b9d7d5cbdfb

SHA512
9249a93f028b6f71c9b7c30e82ae984331c1370e0061e742c98e256a3f99a9a307c0a120b3747c252d45746c281d1ec498de4dc9244e0aab9aba9be0a9720733

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
5f128e678ef7d9bbcdc726ac4560b9c0

SHA1
f31238de2923ad8ba7ebadc2e99aa108fb05d289

SHA256
568a274fc69fd57e02eb7817fcf7f53601f9b83731022b2d116e7ec3f6923945

SHA512
3a083fd368439a0e714e9eff399ded1d491ba286be9886654eea1e1794b24bb3f5966e32d7483916b7d6cc5dc809d379a372dddfc47d036e6477a0664fa94049

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
92c0e9f32a6361b053e85d698a93e641

SHA1
5167a8d01106de3f704606776d075882b7772a98

SHA256
d8c4b16db5b0baab1decae5c41c582144adf4853d24e488754d0f280fdbbe089

SHA512
0ee4e458660175844b110c13587d21a4f9f03ba36501b63cfcce88248848e77883aca3c8450a05e408eb8b9655878e49504363cdcdc3c2955f7599737f866c30

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
4b96b254d5ff44f0090516d48b28cbc6

SHA1
8ff4acda2ff8f33ae98d36c893f91989f9e856d1

SHA256
bdf6f09f3780563e4f9152b06595376c8e09ba8dc7f1ad9cc2f3757a20bca336

SHA512
32b4628e36e3779f437602683ef6fa5e14da7711b8323d36ff4e24ab069c0c459f2429cc5a4bb4e286401c86ba55c3952bfb4302bdb369fe5b025914bf37ca7f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.4MB

MD5
f5f144b6d53433c574c1ede9bc3e7826

SHA1
6dd19c38e88805a21fe3b1ace6bed8fd599e34fe

SHA256
71a0e62827f2d825da419642be1ec2f8e071fb67659ff3d85e43ea3a09d01bcc

SHA512
d9264544967caf7c29b0661bc2d810893f53c5b2ae2caa6fb2c965e0a1a8ba25105789d46fdcfd0a3a9af20dd9fc2fa5b9943eb450c872aad5ecd137ae7981d9

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
d83e2701e04c53590ac30cec218e48ba

SHA1
b514f17ffa5267766a6e9b854798cac388f5daec

SHA256
cecc5f00151da2a038d0b26b8f38e28fa9e7a3971f349ee24bab5e0689552d7c

SHA512
2280753c715646fb9091d844ddbc76e0414edafd1b0a267736ced8a6cacff13403acc82b9a31bed2a430ece0cc9301aee5fdd2c161259bf4ff83ae241f4c947d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
848d3abf8834995914853a7d6a46d6cb

SHA1
09f0a30562bd9b81deba2e52387d1c7a3ce28d65

SHA256
3eb096aa43600fd05a96c6d08263af0104547ce9310cf2c1aed61cd6cbac3e48

SHA512
e8c48f54434026097ac577f6b6f97a3f2e73d70d85f95cce61a341bea5942f2c40b2bf189a0990c7b64d85ca47e7dbbd97839b2bd7d79d9c8f3f09ca05bb364b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
046da79f8a18d282f09c177ecaf23cea

SHA1
2a1195d2354f5ccdfb47c0e970c62956840a056a

SHA256
c42be2a92039ab8b5775f93d298aaae992ab96dbd260593680d6563be4fcec78

SHA512
0f21668cf52e204293782d2aef9b266c50a090a8872245ea0fd0336002647de3af0a37ae4f20f5ef5a83755cc38cc7b57d8927a53865f22fc312438080ba3c27

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
888c7ad10a67d03b31f44d9de96c65ef

SHA1
dfc9ae252045de14d999793acd69bee2df04cfaa

SHA256
eb8a98a6780daa144c680221b77ca8627d0e273bacca98f5cfb1185d9a3bfb60

SHA512
194b308ebc064126666a8a1723ab2ec5577050b257e4b15c2b0087c1cb7282980480049352ca72474823c4995dfbac8074c1cd31d7a017153b181f25122aaf2f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
f322909563866a5bc8026a9c0be79684

SHA1
f0c38a39feb12c0cfa72c3ea24cc9a3bbc0f2752

SHA256
30df71c4c4f96b8c0ac6fb7c6f03862f9c89222efc73d83123cc10f92a6bfeb3

SHA512
769aa1e25f414d0567c4e263e071c3cef9068ab4e7cd5d61179fe538605e544fe661cb0462132766aed7e65625d5f2348aa2f386628d6799eb50bff4dda36690

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8a195ca7889008d15c4ad2bb40896f6d

SHA1
8fb91d69c01ba5a446874472eded7611029a5b36

SHA256
4d5ad620cb42a2bc25f45f325976a3fb671894f9075d5a50575c2f41834ede7f

SHA512
0702e539c8cba57e92f0eff8c956ff1452343c83e094f8417ac4dce235aa5835ede2f592362f0e35540ff9727ede94f9869f3026c94ffe3dca601fc57c75c09f

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
e7f535244f7a60a8ecdc4828d4ed5a19

SHA1
02653574c463b24484838016c3a6c78645a621a0

SHA256
652ab53e19f7ce81c899434574926e04ddacd8eef043905c6ee72b4bd3b0c273

SHA512
8b8e4a83ee83c3801721ee97d944ebfb736bc36a71cce0724cf8b2f7cc7f550db9184252472213326a0cf9db01f290a55e2876cd6fff16a1bfbc4000df62c952

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
dedec634084f871ad4eb5b8302722919

SHA1
3886b48f05660e04e83464007a51b38d8a841aad

SHA256
043fe02abc4f02c926b8d430a6527080d68daaeac44d55cb163bf5671cfead02

SHA512
8f670e07447406069509f9a8156e389fc65677d9e4f8441450978bbcc047692200ec4618b5d4ce93985d78032792420696107d316d63e22a69ea67f60076f8e0

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
aa663c95f99bcff16911d376cd911d46

SHA1
74903ec0f379cb331a2e2d496266ba55b8f88feb

SHA256
3c4260a9a0cc0a44326e71abbc9d9abb460c0bfa635794eed12729ef03e667af

SHA512
4a85661c25cb4c5c8f4918ad69725551b0a73e47dbe6361f8b18b9d55444370e7dacdceb1ea4dc9131d1aeede8c44167e07aa985ab8f3c2a6e632ff8eefe5e3a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
66fb5fa514b7704ed5745e51ce13533c

SHA1
ef5d49f79dde8d208367df41a48101d87135ceeb

SHA256
8f2d79473dcbeb99536532eb3e5bc0ddad2920475fa6477b156c63c1d72199ad

SHA512
54b4561d161fa6b490cd9f8bdd279b7a61c51d98e9ea060d1987ec56bc2c65f7c0475c1ab274c82f5062bde415399a451d2d32211ba597c10e5fcc6692d2ddf3

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
ade448643f81c8083e6a859eb6008b14

SHA1
d76b786ffe20d2a2ff7adf5b762126542f54f68e

SHA256
3ce14e3eb06c7c21dbd5d6a39d59899a41a6cc46f1e7a3d3bcc4818b492897b2

SHA512
c7de79f31f8ca56be10e7cbf234ae7b42f115ee526828c1938889b55ddc5dc63cc0f866e9f133372188f626f989263f6ec4eda5911e5ad49e6326ad226c2b724

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e6bb00665b3cc1fb0fb397f2ab8bc9a5

SHA1
d8d62ce2172145783dc16ceeef3c498cf93e497a

SHA256
516b9a41877c7e4692bb02fe485babe7d865526028899e3d9e69273007045754

SHA512
21828fcf26fe976779136bcaeb2115c8d2559574ecbfb7af460f621d5051b6a7f4c7d898f25752a65759c381c58612941a8671194dfca9c32d7eb1dde161fb19

Download Submit
memory/208-417-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/208-181-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/712-192-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/712-67-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/712-73-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/712-482-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/712-75-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/844-143-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/844-267-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1224-63-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1224-77-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1224-79-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1224-56-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1224-57-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1420-255-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1420-141-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1568-217-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/1568-508-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/1692-206-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/1692-485-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/1912-129-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1912-32-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1912-40-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1912-38-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2060-572-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/2060-280-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/2120-268-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2120-559-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2220-157-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/2220-44-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2220-43-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/2220-53-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2548-81-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2548-90-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2548-205-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2548-87-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2576-292-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2576-169-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2576-628-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2632-92-0x0000000001AC0000-0x0000000001B20000-memory.dmp

Filesize
384KB

Download
memory/2632-101-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2632-106-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/3032-545-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3032-256-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3628-9-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3628-15-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3628-100-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3628-19-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3660-537-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3660-244-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3672-228-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/3672-108-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/3716-193-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3716-464-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4280-28-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4280-21-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/4280-2-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4280-7-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/4280-0-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/4288-229-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4288-233-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4364-158-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/4364-279-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/4424-293-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4424-609-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4916-130-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/4916-243-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/5396-606-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5396-542-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5488-554-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5488-685-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5604-569-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5604-595-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5680-693-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5680-583-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download