0bc031670387788a22efc73a3288e0b3722b85f80f78db86cc5e10f716c62bda

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 15:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
Size

4.6MB
MD5

f8f8ed7653985da87fc723b2addd0f88
SHA1

1a341b5071520b140e5b3f10e2a33b3db16e153c
SHA256

0bc031670387788a22efc73a3288e0b3722b85f80f78db86cc5e10f716c62bda
SHA512

862671e3dd7a237900ca381c20e9f3938d3a93d0570695c598d05adb2a08aa36595f042b445f29bff6380167731e411376a5a6d8f795815e32f2eff148defef6
SSDEEP

49152:undPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGL:02D8siFIIm3Gob5iERfEkKK90

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2464	alg.exe
4840	DiagnosticsHub.StandardCollector.Service.exe
4968	fxssvc.exe
3088	elevation_service.exe
4576	elevation_service.exe
792	maintenanceservice.exe
2724	msdtc.exe
5040	OSE.EXE
996	PerceptionSimulationService.exe
2380	perfhost.exe
2364	locator.exe
1008	SensorDataService.exe
4408	snmptrap.exe
3888	spectrum.exe
340	ssh-agent.exe
2972	TieringEngineService.exe
684	AgentService.exe
4708	vds.exe
116	vssvc.exe
4956	wbengine.exe
1680	WmiApSrv.exe
4088	SearchIndexer.exe
5020	chrmstp.exe
1040	chrmstp.exe
404	chrmstp.exe
4940	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a0c3e39385dff9a7.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95953\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95953\java.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000278d8f3725ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b391c72d25ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f4cc2d3725ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000045bebd3625ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133645798009579011"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000377a112e25ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000027f2533725ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000057f0262e25ceda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000585cbb3625ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000073162e2e25ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4620	chrome.exe
4620	chrome.exe
3560	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
3560	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
3560	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
3560	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
3560	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
3560	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
3560	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
3560	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
3560	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
3560	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
3560	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
3560	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
3560	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
3560	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
3560	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
3560	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
3560	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
3560	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
3560	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
3560	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
3560	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
3560	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
3560	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
3560	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
3560	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
3560	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
3560	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
3560	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
3560	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
3560	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
3560	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
3560	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
3560	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
3560	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
3560	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
4156	chrome.exe
4156	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2892	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
Token: SeTakeOwnershipPrivilege	3560	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
Token: SeAuditPrivilege	4968	fxssvc.exe
Token: SeRestorePrivilege	2972	TieringEngineService.exe
Token: SeManageVolumePrivilege	2972	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	684	AgentService.exe
Token: SeBackupPrivilege	116	vssvc.exe
Token: SeRestorePrivilege	116	vssvc.exe
Token: SeAuditPrivilege	116	vssvc.exe
Token: SeBackupPrivilege	4956	wbengine.exe
Token: SeRestorePrivilege	4956	wbengine.exe
Token: SeSecurityPrivilege	4956	wbengine.exe
Token: 33	4088	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe
Token: SeShutdownPrivilege	4620	chrome.exe
Token: SeCreatePagefilePrivilege	4620	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4620	chrome.exe
4620	chrome.exe
4620	chrome.exe
404	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 3560	2892	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe	90
PID 2892 wrote to memory of 3560	2892	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe	90
PID 2892 wrote to memory of 4620	2892	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe	91
PID 2892 wrote to memory of 4620	2892	2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe	91
PID 4620 wrote to memory of 1036	4620	chrome.exe	92
PID 4620 wrote to memory of 1036	4620	chrome.exe	92
PID 4620 wrote to memory of 5988	4620	chrome.exe	119
PID 4620 wrote to memory of 5988	4620	chrome.exe	119
PID 4620 wrote to memory of 5988	4620	chrome.exe	119
PID 4620 wrote to memory of 5988	4620	chrome.exe	119
PID 4620 wrote to memory of 5988	4620	chrome.exe	119
PID 4620 wrote to memory of 5988	4620	chrome.exe	119
PID 4620 wrote to memory of 5988	4620	chrome.exe	119
PID 4620 wrote to memory of 5988	4620	chrome.exe	119
PID 4620 wrote to memory of 5988	4620	chrome.exe	119
PID 4620 wrote to memory of 5988	4620	chrome.exe	119
PID 4620 wrote to memory of 5988	4620	chrome.exe	119
PID 4620 wrote to memory of 5988	4620	chrome.exe	119
PID 4620 wrote to memory of 5988	4620	chrome.exe	119
PID 4620 wrote to memory of 5988	4620	chrome.exe	119
PID 4620 wrote to memory of 5988	4620	chrome.exe	119
PID 4620 wrote to memory of 5988	4620	chrome.exe	119
PID 4620 wrote to memory of 5988	4620	chrome.exe	119
PID 4620 wrote to memory of 5988	4620	chrome.exe	119
PID 4620 wrote to memory of 5988	4620	chrome.exe	119
PID 4620 wrote to memory of 5988	4620	chrome.exe	119
PID 4620 wrote to memory of 5988	4620	chrome.exe	119
PID 4620 wrote to memory of 5988	4620	chrome.exe	119
PID 4620 wrote to memory of 5988	4620	chrome.exe	119
PID 4620 wrote to memory of 5988	4620	chrome.exe	119
PID 4620 wrote to memory of 5988	4620	chrome.exe	119
PID 4620 wrote to memory of 5988	4620	chrome.exe	119
PID 4620 wrote to memory of 5988	4620	chrome.exe	119
PID 4620 wrote to memory of 5988	4620	chrome.exe	119
PID 4620 wrote to memory of 5988	4620	chrome.exe	119
PID 4620 wrote to memory of 5988	4620	chrome.exe	119
PID 4620 wrote to memory of 5988	4620	chrome.exe	119
PID 4620 wrote to memory of 6008	4620	chrome.exe	120
PID 4620 wrote to memory of 6008	4620	chrome.exe	120
PID 4620 wrote to memory of 6084	4620	chrome.exe	121
PID 4620 wrote to memory of 6084	4620	chrome.exe	121
PID 4620 wrote to memory of 6084	4620	chrome.exe	121
PID 4620 wrote to memory of 6084	4620	chrome.exe	121
PID 4620 wrote to memory of 6084	4620	chrome.exe	121
PID 4620 wrote to memory of 6084	4620	chrome.exe	121
PID 4620 wrote to memory of 6084	4620	chrome.exe	121
PID 4620 wrote to memory of 6084	4620	chrome.exe	121
PID 4620 wrote to memory of 6084	4620	chrome.exe	121
PID 4620 wrote to memory of 6084	4620	chrome.exe	121
PID 4620 wrote to memory of 6084	4620	chrome.exe	121
PID 4620 wrote to memory of 6084	4620	chrome.exe	121
PID 4620 wrote to memory of 6084	4620	chrome.exe	121
PID 4620 wrote to memory of 6084	4620	chrome.exe	121
PID 4620 wrote to memory of 6084	4620	chrome.exe	121
PID 4620 wrote to memory of 6084	4620	chrome.exe	121
PID 4620 wrote to memory of 6084	4620	chrome.exe	121
PID 4620 wrote to memory of 6084	4620	chrome.exe	121
PID 4620 wrote to memory of 6084	4620	chrome.exe	121
PID 4620 wrote to memory of 6084	4620	chrome.exe	121
PID 4620 wrote to memory of 6084	4620	chrome.exe	121
PID 4620 wrote to memory of 6084	4620	chrome.exe	121
PID 4620 wrote to memory of 6084	4620	chrome.exe	121
PID 4620 wrote to memory of 6084	4620	chrome.exe	121
PID 4620 wrote to memory of 6084	4620	chrome.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Users\Admin\AppData\Local\Temp\2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-07-04_f8f8ed7653985da87fc723b2addd0f88_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4620
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaf872ab58,0x7ffaf872ab68,0x7ffaf872ab78
    3⤵
    PID:1036
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1792 --field-trial-handle=1884,i,12438830942728724199,15503194458024615450,131072 /prefetch:2
    3⤵
    PID:5988
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1884,i,12438830942728724199,15503194458024615450,131072 /prefetch:8
    3⤵
    PID:6008
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2188 --field-trial-handle=1884,i,12438830942728724199,15503194458024615450,131072 /prefetch:8
    3⤵
    PID:6084
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1884,i,12438830942728724199,15503194458024615450,131072 /prefetch:1
    3⤵
    PID:4084
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3080 --field-trial-handle=1884,i,12438830942728724199,15503194458024615450,131072 /prefetch:1
    3⤵
    PID:5164
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4368 --field-trial-handle=1884,i,12438830942728724199,15503194458024615450,131072 /prefetch:1
    3⤵
    PID:3140
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4628 --field-trial-handle=1884,i,12438830942728724199,15503194458024615450,131072 /prefetch:8
    3⤵
    PID:2732
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 --field-trial-handle=1884,i,12438830942728724199,15503194458024615450,131072 /prefetch:8
    3⤵
    PID:5616
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5020
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:1040
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:404
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:4940
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 --field-trial-handle=1884,i,12438830942728724199,15503194458024615450,131072 /prefetch:8
    3⤵
    PID:2848
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=872 --field-trial-handle=1884,i,12438830942728724199,15503194458024615450,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4156

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2464

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1800

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3088

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4576

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:792

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2724

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5040

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:996

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2380

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2364

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1008

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4408

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3888

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2132

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4708

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:116

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4956

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1680

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4088
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5920
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:6112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4232,i,1400471177590024469,587385956640537806,262144 --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:8
1⤵
PID:5500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe

Filesize
2.4MB

MD5
37a12d2fcbaf9586cff266f90e13016e

SHA1
01becf4dbd16d9fb4c70f38210fb95b001982b85

SHA256
53dd546146fba2c935353dee350186f0af7f0fafd8b8412da50ea522a116d9df

SHA512
31f1a811f42e5fd204b6da6600677d394aea8e7d814680a42b2e0ecf4b307d4cb54f3235ed986090fa38753d59cd045d6a613e1c4231b24c6d8ad25baac5da37

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
f3d08c8f7133681ff8d889a6cdd6d179

SHA1
0d9cee85b9c3e6fd2a73b6db452f20f618946000

SHA256
a8a9ccf1debb3027ddaf5de8ae946c8013c971b69c0b6eb0a7df2feb8756b51f

SHA512
7a5835579e485c6c4aa857961ed1ededf1b81643eac194245f21e91a58bf6c1ec86710f0eaa0326f648516976aebaf25d6ce43a01eacda73389fa14c851900a1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
46a4cc27a3e0662eb6a94fbdc3fa0001

SHA1
f2ee9aabe1444fe1be34a912fb6f9a87539596d2

SHA256
4d196e73cff1b45e2fe512d1c3483a594bd3b698c221e3dbf4204ea6819fc235

SHA512
a0838b156a4b72748cd9ea4fd4522f0a792529cb8f8ac5418a748ab4b2a82be0550c9149afeaf5d0e2df5acffa5104f942eb387dacdaa13f7c94a37473fb22cc

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
fffb0fa85bb3450dbaaceec415279387

SHA1
82293fed57a833720e58c8f82e30acd0e7f6b952

SHA256
d1e978365752d2ab170208bb882fb036bb73b965e9e2c180cdfcc255ade57398

SHA512
0fd2a550270509a9cac61af50a2f4a5a0055483a3617abf212aff6b6e5f3e3dd94ed8d7430c526d76a0ce5d6b7887a55cc4be771928a9a6f22592ca65765ca41

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b889df1cf93fe47effacc74776c735d8

SHA1
c60de08c9924f3f56cc0690c5eab04a44a196701

SHA256
5a907b98170af31e61f1348f04856e72e81795196e973d16bfe1a587e9c96cbb

SHA512
33baeb6aee445187fb7c71c6e1183df458db25de6853677e5562910c396e82e36bdfe3cce46bd6726992073ba335efa27f6e5f905022ac055a5ebaa5997602a7

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
17140f914c353854aa9cbc40f08ead4d

SHA1
78e90dc4ff38b2c81cd02f475b61ef00e0775f5e

SHA256
fba89aa4b52003e0e5d814637dae2448647e77fb5d26a3ae8809672ed8766657

SHA512
eb67e1a0f44b0e89358cabaf9392f72da651aef45359b5622d9b4464ecb3fdf7fbddb92b0a23e382770af23dffb14d9d0de9fdb314aeee18473d1efe0e2f356d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
4789b1e460589773b796bc735f661662

SHA1
340002f24973a67122f52e0cd4259af50e01ad2c

SHA256
f11d5bd6f333694c478c9fbdf23a7403bff16f1bbda7ad8df97ec22b50f5500f

SHA512
c936713b59e6555a5aa272426d4b0bc81719b0c6204c2089eb0ae708fa7080fd792de4b20c315f874b7fa2a9413d50894eade787bd09167a4ad819cd9f42409e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
beae5d0c6b386fc66d57c4e868174181

SHA1
5b25719a66845630338e25070da5a4c23cafe19a

SHA256
bf29f0e8c3a74e68a3929fe6181fa03eb625b649db5c9078dacba95244dc8cb3

SHA512
67af6c40d15facc88e611e75908ecb35be04a7862f43559b80cba20c73fb368062e762d919c0b9fe2b42b272ea1a9c6cbf089d9bff043282aad754e7f54f613a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
212e560a47fa4bd0ca5598c5301e07cb

SHA1
c4ff19e65d18547da1c8384044d3540fd435e2d2

SHA256
fa41384b4fdb4acba8a43bafd21022df0948b975f6a0332a62186eba8c2182e2

SHA512
1c869def00c20558b5d6147bd9163065b8239620a351684694a076d1c73a4f522e20773de03d5c08caaf28a9b9d213af89e3a72266dcfe9d4bd5fd9e35b49aec

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
8535cba65316f8cfaab31ba539fbf019

SHA1
8d84b52e1b06f39ab46e43bd7f75f84d2827ca9e

SHA256
739a283a0c76976a152ea649220fbf610b9c469c4bb07f91b3930fd59101c384

SHA512
27cdd89d87b81755e2b59396f7c465b3802e25a6d20a43e01511f090df9e5d302d468b3c61f1ba3597e4d0d19e60ee23aacf7caeaa8f9224b0bf373b4a78a193

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1adff3327c5dc01895c7dcafc25804bf

SHA1
63c749655f625bcc1d9db2b6ac6107b3f5e71be0

SHA256
73521282793377d32c25d808c33161903a6f5264e0071ac575fe05df5b5440d4

SHA512
16819acd2d229e2c647bc456b851b10653a6d79e4b3e3c167e23b21d17b864242d1619dad6ecaa5879ebb6a137a634140618521ecef6f1bf7c1af7e61db5fc18

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
6aaf347ecb1395af1152a1fc01f1582c

SHA1
ee08f47e4979f693c9606e82151a0393726fd21f

SHA256
5e8323d700367b118d7c008b9d0d9d637d376758456e1778df1b5a1dc544a50f

SHA512
2b2b9f3d80397725cb5243c2c2960dcb13bec14ca694a2ca9faa494750aa60075589ff4b13c7367807e9363fd635657367f643b6cb56aaa78fdddec16e60d3be

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
61ddbef3f9c04e9b32f4bb8a49ea1f6c

SHA1
f7e45c11f8bb0936aa7cbbe05e3ac10933960c10

SHA256
f58367414cdf4f904af116a557db11d92566a3b33453caa758a0add8d0a95738

SHA512
c4b08b7940217a2dd26534e51b91e20771d0aabb907f9f0b194afe05754dbc725ad3be6c3ec3ec8645dd311baa5a95baa0dca239eeeab3516749bc664721c5b5

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
21cc96f5971a4e5d8b31932f9b4845b0

SHA1
66ae23a5c2724594884e080a41f34d46d009c1a7

SHA256
a9986dd11d4905fd4eef1cb3cec625c918675490102345e9abd17b5906c23dc7

SHA512
cbdb15a1b1ee8ef5aca901beb9e80a634dbe792b26c45cf839e09aa78704a219ebc1c248f3d24b13b99090fe0d96abcac9268d6863821e0cdaa91ed65fb4320e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
90d1d8bcf2010a3db241c41e88e830e6

SHA1
745436e68b86bdc2d3d69481f85b4e8a2910eea2

SHA256
81a07fdc0c7d4e4b86b6f4820ee96681c96ea7d9f087b7fb185bee6f9170206f

SHA512
bde5573bfb7e724e01ad76248f5eb0aae1c5a5540cb0e21a089fb4d186da69c963d665a784f7ad5815ae351cd9fce6ef3f6ee6f635ef5dae961fd20f0dfffe55

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
d3d65b67d5cdc3821b6bf019ee39630e

SHA1
94fcd3ff585af2211db412c523d2f614ed3eb560

SHA256
f0ee20cae60a9976a82da9cb828f898db4c4a2ffed3cee0376ae68514fe2447c

SHA512
39c5665995f7e3287ad95b7fa2e5e31d7e8425a93a9e6cc65bb02c4669fa8728e9ba92bbcf4ec7bdcdafa875aee10a93923fafcfde9ac53925c72a3f3bd45aa3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
acd31a38a666c1f24c1484493d9a0210

SHA1
13f036bb764942f662906672117b8b2e98eb00a4

SHA256
b1e76a90f4e4893ff7032f9d787ec89b721cffb0c8e2272e551d7b0b49051547

SHA512
b8ea42fe9330a00f50c46860e418b89c26293b19db77690bb1fb56bcf827a782b9a751f413767f299b95ab322d8fec8dd6f308e02c6024ffe6a76e04bec54d55

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
a7ff36db3736874b29cc21c6d735c55f

SHA1
2526b45ad4bebbed519c1b4f6e7cb684ec3d4b92

SHA256
f3eb9261466932122e6edf194048d569fb915bbf27aabd2b03c80494df6621ec

SHA512
79ae01b32d9031c44b2dd48f37b4a237f71f7470bc7f600d74e02af226f5287a4bc7e85a07942e7028e0f300af3fa0593ce299ee35ccc6e29e17b2375eabedbb

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\35636cfc-08a1-4d88-9a98-71b9f54d4267.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e548fafb72824c127e944dd2a9c6ad78

SHA1
c67b025d4afb97ca45e0cf839e09fb06dc5de607

SHA256
fcf7657040aefaf83b38ccf578fc83946f8b743cb2d7373dfc0e9e1866272509

SHA512
f4f0abbca01437aab472e559fa32590db1e54c1b1dad4facada009742782241ec009c622b0881888b9c8cecf215286772e8fa05a873ba369fbef591e5099321f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
abe6dd0f26ccf1ce4a5f0249b40bb45d

SHA1
c2130e84f7d591ddd76137ec68296decbab9fe08

SHA256
3c0e93d030a51ae591e75d35878fe393ffc151aa73cbfe02c6c3db95280ab9c5

SHA512
14a78e00cdc4e1cdbac0b1b3aed81498a9ba3b91e8653926b64255e3e689ac414b8adb232bff308a21f0e08db16de2c2583516012053f23d819888136344c4b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
64d7569e7e9cd59b61724e5ca8024d2b

SHA1
7e567c8f3a278f528fd7d85d462cce4e56bb8e79

SHA256
8adde9c0e5b89d0b9041d73f1c9ef531e668cdc1d020e7625e45f7063569ab1c

SHA512
b4425d6dea07aaa95039db3491ace66ff0e4e64232309b2c7dfe29200823454c3f91391db09b01b83edeb298dd3a9ff1dd0198c13230763553160e5a2607efb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
46e984508cd34c3aaa6ece9992a95426

SHA1
f8baec3d93d4fcd2e73ab57eb78aa5e1858100c9

SHA256
a66c3b1b7f30db013eec9edf989a2e3a2b751ada0f73e76830197bc68de7dfe8

SHA512
960308e82e14f6d104a98c3233238082cd8ccd67a2839276d78e2d158e232e825124ef9a078e309a547bc5b1a86a67533fc2871504d99d441e897c78ecdc068f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
af5945dfdef66d8aeef3e8722e7b360c

SHA1
04061b78c59fbdf50ff771038119105027991b19

SHA256
1e68d9a944d77c9758fa000c78e08c7a70b46ac507215672aa325c111172b767

SHA512
2192e0317a62e3b98e4ac94946a7eff59da0147c79dd2539ab9b27cbc0974617adaab0b9c673379ac51990e3e5f7b3ca814158a760e67ff32d0f6dbbe39f986c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8686dac98b70c705e0c783cf5deb6a0b

SHA1
63f5e462b97510af10455d79f1ff954a420b2a70

SHA256
039f2b68cc86cc7ae53928aec091781db352b7d55328c166f39d72f1de46a1ec

SHA512
f1237ab75e0f0dff2a18384bedecd4fb559731ac802d9c4f325da0c8d5745c3595151b7dff68684e8b1b01c42e05d232d681dde26434c508bfca66a8b00e6891

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe58196f.TMP

Filesize
2KB

MD5
a361d3291546212f08156eae58b34e1a

SHA1
89d7162134759edc4109797677471c64824c4130

SHA256
c94bf51d6a92796deea251ef7bc1c0bad2f1fa49fd8a4f62d6800ba729d275b6

SHA512
1100cf4de624cb6e3030e83629e5574da48e5d498f1ee3508f4b342b3f020a40a58ed7e83db413dda0036f15b81c8945f9491ae351647c579362b09f2654c18f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
551a98c2fb82e00746d2d18fca23eadb

SHA1
71f8234dd22324149f57a7c78db4e4126b872485

SHA256
4dda31eb52b8b4680789f26f612935c558321e86ed70bbe1662230986bd0bf94

SHA512
eed6836d4bfde459544ef050944bd39cb85b08322ab2c9dc632bd4eef8702b00d453c701e0c6004da393416c8598dd4e117fa1bfc3b6c27dea9463fe4296ac26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
279KB

MD5
c9e44b63f46d088aa123b2bfd89847f6

SHA1
f863d32b2fcf721026987f4a2cb8e0a6ba5d07e5

SHA256
01f85635259540a93163a6f6e55bea76bbcee858deb1c75c2b5d307ca581b002

SHA512
0b83a31ea5887f72d201de50134da9b57cbe33f2ddde4a6330833a13913ba4bfb539d898726d29aaf5343297a16012b77347f7d9812b23d3fd10199022147ca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
9ab15c7cb8aa02364ca8fd3d6f9256cb

SHA1
ea5a7e2671451ce91e1367f6841045ce92f4addb

SHA256
ba72517b5554bf19a7e39c8c5d6d6cba6c89c6cb81ef5a546dd4882b9c3f8e44

SHA512
31b9a0388a290591dab47e0cb38d5713d49d06f87052274ca45972b45059d9f9ace953dbbff2a3a62b9ef0e5f9c21451c6056166b42b75ddb0c16dfaab57cc5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
9KB

MD5
3381069e43a7b19a7b41447337805ee7

SHA1
f165dacf709ab1dc841fa18ff0bf6e84da4c7c09

SHA256
b5437e66c6d8bbce223c36228f7092e7de1b20502c93dbf1b5c8e8d5fc089124

SHA512
eadbdff08509937abb2cb714f103282bca445cb0743211739d36bce735b59a58941060b93135e925fff94f03dd0c8ae737865601b78c4ceca82ba5884fe9f0b4

Download Submit
C:\Users\Admin\AppData\Roaming\a0c3e39385dff9a7.bin

Filesize
12KB

MD5
6049d46e89495641c50a3f0b59ee4b75

SHA1
b6342ceffcde157e7c5fe178549b01283c6e4808

SHA256
659c9b6f96a7d93ae44345a9812ef01e8f91beca005ab5a9347c56f08438fcd6

SHA512
c1c035d3b68a75cbcc4cb9ce76af60c2a61644e1153f482bba0493326b9e9eaf3db6596cf3fbe1125c412620d64ec895905a4b50663ee2e008ab3ce23b9fcd82

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
1c3b8073e8f46bf7731193e9cc284bae

SHA1
ab2bddadc856716647dad6ad97f4b031ac3b1e2b

SHA256
de9f62281292014dae96ed0c10ae1c81a0887f6ab75977c562d5b52aa0692e2f

SHA512
51626ce24b7b061b425af3749d363a3e60733337bab0d805bdc6468132eac06ad4acd26a778337171e9be032aacf6cd34dba7617094ace3034b8508a05cf040b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
20ab0ca175f07bf078ebc45ef0a5443a

SHA1
0cf49cdcf5f542e1e0a2c2fe55469ba57e15fe02

SHA256
7b6e7ea4294d0bcc554f273cd0d56ee174a62a5f21d31f25f03dfb2f5e5e93db

SHA512
dfb903ed66ceb0fecbc1e870ed2c776c9dcfe14faebebba198a95e58af6d690e9e8fb4e56ef98e706866702f992f894f66fc22c48bc7d53d69ef4dcf93f843fa

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
1518d6500bb817ed3a7aeed1bbb51306

SHA1
66d3b16cc3dda23ad3a3017694d412e96f7303b3

SHA256
9354e62321ab83a0da82f7b5c12d2313807bd52fd676b98ceaea3d90168e3965

SHA512
1d038cd7ff61587cc9d5392dc3e899975c1fe803c9cd5ea53324e1da3f3597a0539c6baf0de92eb3117265a83f0c865ea5a2871b6bafdc66d82798dd63694204

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
8c78c395c81ffeb655df46d96ee8c7bf

SHA1
841e2dafd2ce3a04c866e24e11480e2ce895e936

SHA256
c89cd6abf53331ddb2d4dfad0167f56188c597494c2b36aa1b7a1008c47a9e5b

SHA512
a3a71e4d265e9e65e3b0ec6098b2651f93c185345aae3632bd3b6c926b5fed2683db51c67f15209131fecbe883c2f957129b3b57bcdd4f44ac898f1e67ad27d2

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
987c05b0569facdd46f54d075f8df8cf

SHA1
8c119f4dfcb98fe37b7c1a2d826e58566be090b2

SHA256
690acab94149e23fa8d9aa4c8905d00f95863e76ec2fe21a9097ea03cf1cfa72

SHA512
a8e2bf98229c0126485633d94bb17e98737df73283d0f679ff7a525a24aa042e44a169fd47a083079420da08e5a3f3f2ad84cd4033fb455c7b21598a3139240b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
2f38bb460398d23acd90362d040c5d00

SHA1
2a0bd3c676b49976876d29b723734fe303d485a3

SHA256
7a1e5bafc100154d65959472138a64c05e554ebffdb2b7a3336214905d001ec4

SHA512
762f4efed11cdb8c8ead10b1f5ab647a4286600b507173eec4c413f24c378b66f7bdca04239c5c7534e6f9454c0d91486a560244eca3fef73bfee43ba4cfc64c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
612e9824b4d67fc3775845633dde2d4c

SHA1
d97aa86fe9f0236d1bb9d11ba5c06ccaeea2da14

SHA256
7e426faa1ed0ff26bca74cc283380345cc5fbfc5d52a1eb52037bde4a87d20b6

SHA512
8b9340f8c92cda6459220f64fd51fa43028e96aa52d9c56d91f8a6ca4cf9e253cfb2c678cd421f94c34ab2d56271a0af99df80a535ca640b5a6ed0235e647e0b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b39ab3f5f5428c9f449050fd4277dd68

SHA1
6c2b6efad1054eb3e962e2b8bbf15ca7c2b43418

SHA256
5004b8c62f69a488188c063cc27af6b6c2528b06951c6d99e1a4b1f88376ce84

SHA512
c2f62bb7b1dafcc9be0988ee5584c87f4c431ac5c48d30ff2c4f6e278b1ade1b3107a89f677f0f4e979feb6e62a0464ca19baf133c8e60952d3ed1a90f7077d8

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
10bce8f23f1359b2989f0efdef8dd815

SHA1
de51fc05de62bd21aeae2cc2ac9aa786c11b6f6f

SHA256
aaf47e24c62d2bfcaff994fa8d7fa617eeaa7bab2d6c6b3c3dabd0164ecdd044

SHA512
a6669c2826fb87dc2452f6e524571ea1abf311fc07ef2c15eb282f807a214657414b4353bdb9df7e1ab1bbf0d48df87e17aa25fc69520679002e7d4d36cd76a1

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e22e9d276ecf74a522d0688e1cca2464

SHA1
b8360321aa4150bffa3814536a94b1d3e3988dc1

SHA256
daafedebd950dac328dd00ceaa8f5e84a67614481818fb93f28698cfb7987e34

SHA512
e99b8267ffbcf2c7b8a007ad7220843670c8d1374d06f69fed109f0ed418872f91982d9c901e4cb610bddfa61f9f6ce9d0e73173d9fc68863df22ae36ac1b588

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
ad219d08534bd54be8473feb7f2cd753

SHA1
f5f008d243eafb977d7b0080fc8d026e948fc01f

SHA256
e32d5b25cccbfd0e0b7a8d130a0691ad9f1e80c9b44314abb3f9e9f2f61c1808

SHA512
7de78b1b0a5f573ed6709efd2dd754d3a59128287809e5922e07492ecf7e006a058ef7291b803a97fa7359a460821338dd08a4ea61bf8b905f800636effe36a9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
77c51a4b8b82df91588faeefdca78b3f

SHA1
7f4e1b2c7f0761aa8b85b6d0b06515aa5b52ed1f

SHA256
044892e94dce150b2bdec51a89a33bf71c618b731bae11fa821dc0284f60175e

SHA512
1f9848cb0f307ed434a74cd52a819fb456a0f025ac7fc94f2cd3ea39a0aa67051ce8058d96b24193599eb1218597208662f4afaaacd966dfe503e785cfda53fe

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
b822ac7cbd001c1059697c48981aba4f

SHA1
8d9eb9716c1ff25b3ac017773bb41b05643948e3

SHA256
4e15fe8d535fae503d8c735ebfc0f09471fa0d29e13b59e1e3c5b3e0de944aac

SHA512
258eeabb302c9782f5de30d9cb4747d14d07e7ffc2caf73a2f36d2c52c8b30f0a4081968e2e05f4ebd018acb2beb9af2f5ce1eb950e812c303615cdb9c615eb1

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
bcad94012c65a46975bc1a45c203f46d

SHA1
435f0b57b8ead578dbd09601eb21f799ad35a43f

SHA256
4f2039671528ef163783776368d6bcff4c7894fc147f9e297696e9af3ab7e530

SHA512
cabcd90102e91b5fda001014a815b11696772fde1f5d9dadbe66735b0947501cbed60f7927a740b89bfcaf4efdb54205f955ca14071ab6c62e3e1d310a64c00a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
edd4cb75b54b265838d6b090a4598c04

SHA1
66b8cea22de3c710363929d0daa64e49b865bbb6

SHA256
e101fa38fc4d387bc21bb6f533c54a521e89e2ee88dbb77bf06df2f7e6bc1c02

SHA512
b6cbb3349a8bccbb79c5d82515e95092e3c2bb14ce577d7266490e5d8f20cf5c1732e1a6ece2fd9f39f0938500bcd84987494ac5c4d11c0c1d88a7869267a581

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
14ed3f6c1383c11eb2477c8b448f63ea

SHA1
080c0e1066f82b15c24ad8d4fae2d19b7721c2a7

SHA256
c93c2039d48f2e69c10d3368823796c1de33a399f608801fed29d6258cb607e0

SHA512
3381293de3845e0a416dce24c3177b470b17fee778c1eeee67c7191d8162aea1ae11595a8000e7751ef912e3082333305a3b27d2ee0f454e45fd97e8f8fde9fd

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
2f3aeafba56b4689370c22f76d1107fd

SHA1
cb6cf7d68447f64bd3f4ca76636f62b01bba980d

SHA256
d6d1d70a72ef1b805c45509bda9a8416f62024d6537156be8155a76430cc58a8

SHA512
dee4281c11ebb0d9ef6d037aa5c045050249922df134bd747d1aba9afd0c50eee7e53876ef268d249002c767cf628856dfb8c8ea420265958d6f6c2c36b59e15

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
fc2503ad9c43b84951c479161e4281a1

SHA1
1db780dc4e5b85ca126e9db5d632a61cbf339745

SHA256
8d863ab6ce69f3baeb0b6e68a97592605f70e4649b0c43472db3a341629d7ed4

SHA512
c82efd772ff21c80188458ae94b9b3edec27f36084d3eae73bc3dcc8511a99320f58df4378844df922326d4caa06a4b705eeb50463054ef1b33efa02578dd9a9

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
c75904f52c5a3d06d039d7e29d12330e

SHA1
01609a94c02faad94d2500a526a955eabce1584a

SHA256
7ead57eb6e58b3ef599ff51ceb37d2b3e4355de28713b5cbcd0cf56a442f65db

SHA512
b55a3ff4fb2a25ca29e8a4a562166e5c13a6b63291df4e626bb19d33ee03cb9056dc9348ba28cb35ddefc13c3b162399cb260b91c85b2ccd1ab1a491ea1dc162

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
09fb9d81780b63168a9902204f7b33ca

SHA1
7c616d4ae50125533bdd0a2e814f3985d64805ae

SHA256
92853be62281595ae8bec6403451185fda35b0f7e696866d1fa11d613caa8446

SHA512
9b7654f393741c8daef1f1913a3a8f3a082fc02fd8998a02e0336b56321acfee544dcb6a7f95ce9e13ae9497ef95f440f25560bb16c100fd8479e25c92846944

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
11eff7787be7bb181a6a43d9194d02ab

SHA1
4a516469653d60e1eccbf63fabca0761895d20e4

SHA256
4fb5b0f428cf0ae04919060dc070ad19d12b8aa1b3d1fc326b466d33b9b6075b

SHA512
c35dc2a65b241b7fab16425a24bcd1aabeaa09a361e5e648e2dd21e520aa5bb1549aaea02e953d788ac10d8216a5b87a6dbbdcf2f0b72d2a37d2087592853afa

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
18c31b522f8d1204838c649c44e9543d

SHA1
f5f80407b1a19dc9e9a9dcda6bd2e78e4e09f57e

SHA256
6fc0f67634e0aad297f48c101bc89d97d8171242fef563726bac440a1f15e1dd

SHA512
bea5f021ab8e961208614acb437f4033eca1d97aa116772d115d60ca6137625f253f4f4b2917e3fa910cd5496767edfedad61b8fa49e3742d9d29e57851b5f3c

Download Submit
memory/116-374-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/340-369-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/404-574-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/404-561-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/684-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/792-90-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/792-102-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/996-357-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1008-493-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1008-364-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1040-528-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1040-691-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1680-378-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2364-360-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2380-359-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2464-39-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2464-40-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2464-643-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2464-31-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2724-355-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2892-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/2892-1-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2892-25-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/2892-9-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2972-372-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3088-354-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3088-468-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3088-73-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/3088-67-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/3560-551-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3560-12-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3560-21-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3560-18-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3888-368-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4088-379-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4088-657-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4408-367-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4576-353-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/4576-656-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/4576-80-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4576-86-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4708-373-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4840-55-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4840-52-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4840-46-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4940-693-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4940-564-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4956-377-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4968-76-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/4968-63-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/4968-78-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4968-57-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/5020-517-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5020-585-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5040-356-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download