5c82d7da72655b0d124870a8ee3a4d457e97feca5baa908232243c7780e98af8

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 15:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
Size

5.5MB
MD5

fce6f1e0c932555fc58c6e428b140cf9
SHA1

886e873dc1217ff4f2d445c11c0923c3a12dae26
SHA256

5c82d7da72655b0d124870a8ee3a4d457e97feca5baa908232243c7780e98af8
SHA512

a9adcc74fa3b321caf1dd6d34f25a8a0824d51865a45d00009ef616ab3b029eaf0f7d74fb0000b1261b9051a9503a5e70fe9883666a20d810727bf9886804d52
SSDEEP

49152:rEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGf+:3AI5pAdVJn9tbnR1VgBVmgqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2624	alg.exe
4836	DiagnosticsHub.StandardCollector.Service.exe
4784	fxssvc.exe
460	elevation_service.exe
1276	elevation_service.exe
2240	maintenanceservice.exe
4512	msdtc.exe
544	OSE.EXE
1616	PerceptionSimulationService.exe
1900	perfhost.exe
2192	locator.exe
2912	SensorDataService.exe
3516	snmptrap.exe
4488	spectrum.exe
1100	ssh-agent.exe
3740	TieringEngineService.exe
3424	AgentService.exe
3784	vds.exe
3752	vssvc.exe
1208	wbengine.exe
1180	WmiApSrv.exe
1144	SearchIndexer.exe
5944	chrmstp.exe
6016	chrmstp.exe
6108	chrmstp.exe
4196	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e6ced5014ba38143.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_108875\javaws.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_108875\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b082e6ce2aceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009602c9cf2aceda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b8b541d12aceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dfb77ccf2aceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133645822005877677"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000044b4bacf2aceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e83dc4cf2aceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001e0df0ce2aceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f3688dcf2aceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000999961d02aceda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006b4186cf2aceda01	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4908	chrome.exe
4908	chrome.exe
3792	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
3792	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
3792	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
3792	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
3792	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
3792	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
3792	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
3792	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
3792	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
3792	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
3792	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
3792	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
3792	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
3792	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
3792	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
3792	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
3792	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
3792	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
3792	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
3792	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
3792	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
3792	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
3792	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
3792	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
3792	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
3792	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
3792	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
3792	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
3792	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
3792	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
3792	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
3792	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
3792	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
3792	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
3792	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
3276	chrome.exe
3276	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1964	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
Token: SeAuditPrivilege	4784	fxssvc.exe
Token: SeRestorePrivilege	3740	TieringEngineService.exe
Token: SeManageVolumePrivilege	3740	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3424	AgentService.exe
Token: SeBackupPrivilege	3752	vssvc.exe
Token: SeRestorePrivilege	3752	vssvc.exe
Token: SeAuditPrivilege	3752	vssvc.exe
Token: SeBackupPrivilege	1208	wbengine.exe
Token: SeRestorePrivilege	1208	wbengine.exe
Token: SeSecurityPrivilege	1208	wbengine.exe
Token: 33	1144	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1144	SearchIndexer.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
6108	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 3792	1964	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe	83
PID 1964 wrote to memory of 3792	1964	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe	83
PID 1964 wrote to memory of 4908	1964	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe	84
PID 1964 wrote to memory of 4908	1964	2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe	84
PID 4908 wrote to memory of 3284	4908	chrome.exe	86
PID 4908 wrote to memory of 3284	4908	chrome.exe	86
PID 1144 wrote to memory of 2044	1144	SearchIndexer.exe	112
PID 1144 wrote to memory of 2044	1144	SearchIndexer.exe	112
PID 1144 wrote to memory of 2032	1144	SearchIndexer.exe	113
PID 1144 wrote to memory of 2032	1144	SearchIndexer.exe	113
PID 4908 wrote to memory of 3556	4908	chrome.exe	114
PID 4908 wrote to memory of 3556	4908	chrome.exe	114
PID 4908 wrote to memory of 3556	4908	chrome.exe	114
PID 4908 wrote to memory of 3556	4908	chrome.exe	114
PID 4908 wrote to memory of 3556	4908	chrome.exe	114
PID 4908 wrote to memory of 3556	4908	chrome.exe	114
PID 4908 wrote to memory of 3556	4908	chrome.exe	114
PID 4908 wrote to memory of 3556	4908	chrome.exe	114
PID 4908 wrote to memory of 3556	4908	chrome.exe	114
PID 4908 wrote to memory of 3556	4908	chrome.exe	114
PID 4908 wrote to memory of 3556	4908	chrome.exe	114
PID 4908 wrote to memory of 3556	4908	chrome.exe	114
PID 4908 wrote to memory of 3556	4908	chrome.exe	114
PID 4908 wrote to memory of 3556	4908	chrome.exe	114
PID 4908 wrote to memory of 3556	4908	chrome.exe	114
PID 4908 wrote to memory of 3556	4908	chrome.exe	114
PID 4908 wrote to memory of 3556	4908	chrome.exe	114
PID 4908 wrote to memory of 3556	4908	chrome.exe	114
PID 4908 wrote to memory of 3556	4908	chrome.exe	114
PID 4908 wrote to memory of 3556	4908	chrome.exe	114
PID 4908 wrote to memory of 3556	4908	chrome.exe	114
PID 4908 wrote to memory of 3556	4908	chrome.exe	114
PID 4908 wrote to memory of 3556	4908	chrome.exe	114
PID 4908 wrote to memory of 3556	4908	chrome.exe	114
PID 4908 wrote to memory of 3556	4908	chrome.exe	114
PID 4908 wrote to memory of 3556	4908	chrome.exe	114
PID 4908 wrote to memory of 3556	4908	chrome.exe	114
PID 4908 wrote to memory of 3556	4908	chrome.exe	114
PID 4908 wrote to memory of 3556	4908	chrome.exe	114
PID 4908 wrote to memory of 3556	4908	chrome.exe	114
PID 4908 wrote to memory of 3556	4908	chrome.exe	114
PID 4908 wrote to memory of 3996	4908	chrome.exe	115
PID 4908 wrote to memory of 3996	4908	chrome.exe	115
PID 4908 wrote to memory of 4000	4908	chrome.exe	116
PID 4908 wrote to memory of 4000	4908	chrome.exe	116
PID 4908 wrote to memory of 4000	4908	chrome.exe	116
PID 4908 wrote to memory of 4000	4908	chrome.exe	116
PID 4908 wrote to memory of 4000	4908	chrome.exe	116
PID 4908 wrote to memory of 4000	4908	chrome.exe	116
PID 4908 wrote to memory of 4000	4908	chrome.exe	116
PID 4908 wrote to memory of 4000	4908	chrome.exe	116
PID 4908 wrote to memory of 4000	4908	chrome.exe	116
PID 4908 wrote to memory of 4000	4908	chrome.exe	116
PID 4908 wrote to memory of 4000	4908	chrome.exe	116
PID 4908 wrote to memory of 4000	4908	chrome.exe	116
PID 4908 wrote to memory of 4000	4908	chrome.exe	116
PID 4908 wrote to memory of 4000	4908	chrome.exe	116
PID 4908 wrote to memory of 4000	4908	chrome.exe	116
PID 4908 wrote to memory of 4000	4908	chrome.exe	116
PID 4908 wrote to memory of 4000	4908	chrome.exe	116
PID 4908 wrote to memory of 4000	4908	chrome.exe	116
PID 4908 wrote to memory of 4000	4908	chrome.exe	116
PID 4908 wrote to memory of 4000	4908	chrome.exe	116
PID 4908 wrote to memory of 4000	4908	chrome.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Local\Temp\2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-07-04_fce6f1e0c932555fc58c6e428b140cf9_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d4,0x2d8,0x2e4,0x2e0,0x2e8,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa52fab58,0x7ffaa52fab68,0x7ffaa52fab78
    3⤵
    PID:3284
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 --field-trial-handle=1844,i,7606737910735507024,6953420630248299235,131072 /prefetch:2
    3⤵
    PID:3556
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1844,i,7606737910735507024,6953420630248299235,131072 /prefetch:8
    3⤵
    PID:3996
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1844,i,7606737910735507024,6953420630248299235,131072 /prefetch:8
    3⤵
    PID:4000
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2876 --field-trial-handle=1844,i,7606737910735507024,6953420630248299235,131072 /prefetch:1
    3⤵
    PID:476
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2968 --field-trial-handle=1844,i,7606737910735507024,6953420630248299235,131072 /prefetch:1
    3⤵
    PID:2548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4260 --field-trial-handle=1844,i,7606737910735507024,6953420630248299235,131072 /prefetch:1
    3⤵
    PID:5284
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4588 --field-trial-handle=1844,i,7606737910735507024,6953420630248299235,131072 /prefetch:8
    3⤵
    PID:5728
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 --field-trial-handle=1844,i,7606737910735507024,6953420630248299235,131072 /prefetch:8
    3⤵
    PID:5776
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5944
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:6016
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:6108
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:4196
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 --field-trial-handle=1844,i,7606737910735507024,6953420630248299235,131072 /prefetch:8
    3⤵
    PID:5572
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1844,i,7606737910735507024,6953420630248299235,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3276

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2624

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4836

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2060

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4784

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:460

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1276

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2240

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4512

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:544

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1616

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1900

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2192

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2912

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3516

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4488

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2428

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3424

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3784

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3752

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1180

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2044
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4401617c6f6a6f5521886bfd8b8ec8e6

SHA1
071105abb1aa4ac30859ddee40dd85c556b2f53f

SHA256
5b58a90f96a54e8daec143612d45c742dbb9dd3b304a7917b06a75070509ef62

SHA512
632906057e9b6b2c25806ef57c5f8a87548834d9e945917eb72c45b55754668c1361d332348a54fa775cc560d7d8f5cf82b4cc218186c77607840a8b616bf1bc

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
3fa95260bc512fc474f18df190d11338

SHA1
2c22da24315d8db98d94665a495ca3f5c13de59b

SHA256
20b508266ae50d1684366252af7889918d08bd5abb4016799caa18ea9015f39f

SHA512
13b523c925e4055ed9378747d5c98a0cac30d1a598e25e957fde0b6fb8ab15cf7489a452c14ef3bdc403579f59026d2eed24523eda4fe8e994075743e7f8aa92

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
02d5695ce0854d218c6158e9c383277f

SHA1
406daedb4472a8e524af5565e9f3792acbc4e40b

SHA256
6dd7e922f6961d6dbd83f13af2279d9e5d94a1ed3bce835356fd2e2d245eb15d

SHA512
95082bca1e81df3ecc9a29cdc5ac23e3d83cdf0515c258584cb2bc24dc09fe0d275f9efbb63966a0e2116b1bcf3ecb9ca6da16135ba1b81bbdc79350a12a0421

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
59164a2042450ed6ee9ed9a0d422e951

SHA1
4721b05dae61176bca110c118ee307650854cd25

SHA256
7859982762e045e9c3c61678b8594fadbae87e5a6ec04dddf042892c98f39ce6

SHA512
6e9bec05bf1ec7753a27699015e8334fc67eaa81b672117bfcd8441cf047d1ffcf8ad6c7891aa5500156bcb445b7a932e344be088a60bade0a2d139132a5e8a7

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
2c72098442d8504ac532a650e6579e57

SHA1
25dc99f16019e0a0b38d9276b9bdf0ccc65a42e0

SHA256
51eb5d7670a11e7a45da21412a87ab371b4e060cf79b51797dc8d2378c38bf0a

SHA512
6270fdc1bebc92458a302fc350ecc7a3aeafcba72aef001568e453796a745eefbb2ed33dd2ffb0a402cd76566d6a90a70f860aa45c280198a864a73136fadfce

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
1dd4f4d1c01e07b0f28796096911f69e

SHA1
ca173b89bdbf47363285a3ea3b44e65f866184c4

SHA256
cb23d174b93215d0db1c1b13aaefe153fafc860d43c085e74cb9296c4a2ecb9a

SHA512
7e4fe4aeba81d3d55c06409d4c13ef771ec69618ed18e16170a4928507d786c18cbd44f7b719b8b435dd038697d70ad388c6c093c0d24921ac603d8976e70c3b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
a5017f2bd11a5b34b73f3251f0adc0de

SHA1
8d989def8baa6224acc7d760cdd6760bfad32292

SHA256
4e2131e37032cbc8316f4402bf211b0a98aa19f4f7de30999fbfcac0cdc689c9

SHA512
fd46cd0e2500ec7a754814f03755eb1dbd4a9ea87cc6332f7ce906f09ed9a68cb1134d23750ffd4c0dfebb6d6317ae19a2cf8cfa4d3cdf1a26babc3052eb43e6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
111c90f6b715f5bc05faa6a5a66e069a

SHA1
51acb0d10118c273743ee0ff7cecdc66a1f4343e

SHA256
70b55f46a2d72b404910b36d68bb3f141fec626e24868fd5ecc31a7f221e3bee

SHA512
24ea9ecd17f5e18a3587b9504d954b4512c015c878fec302e55c8978d31acc53b77b57135659d8ea894c062b1e609d914b66d1bcda6ade09ccebdf251e24331f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
8dbf0d912140a8ff7ce8a415fbee5ae6

SHA1
f0430c2173bd6cb935aad7d839122b873d0d3df0

SHA256
e451d1a4da3ca6548e03aee2735e51d598e8faa4dbd9d38a960bad23fab99918

SHA512
27658e3a478332ac73627707b99ce291d96b4fb565dff0e1c2f9c87547f7d782ba87f9140199c79b7c1fdc7d19b2d7eb17e0f878262ded4cb8a617a4ab87c9fd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
e9bf453ff58a38f94c796ec7932ef4b7

SHA1
243c1954a38d8d9d034234cb6efc1aba6649476e

SHA256
5bec4afe8fcd6ca08474f00879fd734edcdc81ce0480f6b7c9a41302be50dd14

SHA512
dd46f8773ceaaa768731d5063d6cd8d8f7b9ee2d915fc131344a978b5cdf161211a784ea8f18742de7e6bd193ba65bb6997d811222189b773052fc8f919c4e34

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
255ca4e7d088c8a87e50a78c22a18e9d

SHA1
0a148a54fe035312ba8b7b275b84396d242a15a8

SHA256
6ca25239c3ad17b3f60a8c7f8a42d5e2f0cf5c583a4b0e80a5571c28d04b36a2

SHA512
78a23eb6b57816a6902503d2dbbdd227e33f24b036216e750e039575468b6b1c104ca0309cdd0eee1723b4e3df46467fad6952dfd350a2e3d4079e41eae254f8

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
eaa59fd35a81e030ba6b9ecf94279562

SHA1
f17f4f5076a576fd50319a15ac5f2e24b2bec5b5

SHA256
0794ff33b0b9e5cd1c1843fa2e45de559b50e1b313948a15ab552cd5eb2baa9a

SHA512
42acf85b50a4d1d6904884f8ada58a5e960d1f7f91533f97c42166ce8bcb3339590d176ed582e32a697b09459d6325e80b5b0f93ac6d82eaf3a5c7f562b995ce

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
962370dc8aba97bff1e4a65fed46763d

SHA1
b7fbd5e4941e75e525e1a8ba197e4ac71812f50d

SHA256
125b1183d8865863a8b880fb9461ccb5bfb08bfb1b4e67cf05dd52a066902723

SHA512
7bce6598461fb998050e56801f5acd42256c6d2711daab4bcab52ebd15301afd3657f033bca5826a49ac2a014d81ad8747cfd108153aa0961a0957a9193a7c03

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
afa3b251d2c9e2f8f0ee05aa2028927b

SHA1
bcebc96e00da0ff1672abdfabe9b590b21d4e015

SHA256
652d5745881ff8814cdaf824cca8965933c7b8b0d995a7ce282418976dbc9a33

SHA512
c2c9241c5e09eddda6620290882ccdace2b0182b6501f6879e998d330a8faecedec729fb69fe5b9cdc9b95c288494a66a58426c514ca94bd161b2b12b267a05a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
d0a7775945121bf8095db7f5a242ef6c

SHA1
11b649f8ee51b4c543b8287ba2140073f8cdbdd2

SHA256
4baa6c5e4ac7961cb573665d439a9787b461f9304ade8520886b5a40fc90ec2a

SHA512
8ced91c4a938a163583c2be1cf7c5a3bd0a3b9996869990ec428549bf232d2900a55f6edf761c1e11fbfb98b320c567216ac01ef77d32179b2a8d65c1176263e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
aa07ffdfa9a16a2a12cf5991f633b5e7

SHA1
40cc5030b6d81c06bfa219f5b157c4c172f4d51e

SHA256
1a76f11d834e11879599bbe89cb730053d8a4e843254500577cb4db1f4924cbf

SHA512
349e9ad369615765acad66004c9c167b885406fe6ac0b9c7f6c6e6055f39a9606547346ba7989074b567202e31144364b58a00c8a5244ce5409393454c593530

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
4efb57e8f448fb86316116bb3c0ac1f0

SHA1
6015307d3a06652309205012369891f18c4f57fb

SHA256
10bfd62202774b5056652d250b49013be400246d18745ab5c4809f3a02782337

SHA512
5b0d05fc50746f6347330f385f57374c539cc6c329d37db5681df6bf15af86431a2e0ae87d254ee8c01155b5c90ff931c6804107cc25fc7aed87d2967ed2c432

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
b5020b77b925a51ce4b3bd82c6a995c1

SHA1
142afb968fbbc186a7f436078f729087dfb84fbe

SHA256
9502a16f36fd3dcf2aca5511ff9eba9a1881180dc19e0c9c11a49c5521be2ce3

SHA512
dc27f369fb053d0d1047dfb34fb28b8ef3eece8cd09059311ae3a7ca00316a6d351300bd3bd9e4c25900aee38520cdb02de78ac5c8d31675f65bf532dfadcd1e

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\e3af2ac5-f157-4294-9e9d-74cf6c2e58d1.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
8d885fcd96d5551b1487f2f867409286

SHA1
e0abd1776679e78a8a5c8755ab050764ac6a1e2d

SHA256
71d1e1aeccc7c1e7fde03f92cc356a19d416074ce8143577f731d523d6e28054

SHA512
540cb6b251a5751515374fab53947d306425e6d9f6dc65b3b3a38040f83d8dac40b5185fc82979a74a261f5801e230c286423b6f39f10544f12c720e7f06a5c5

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
86da32c1e986dc22c82557db0444a727

SHA1
49b5c765da396394942307fd444e98c5ac5588f0

SHA256
a0e73b4dcb166c0e58d661c06a4c2a0b6d2f3f30ef1c5d2182f1fdd4f547f429

SHA512
238fe1764e8966dac8d41a3badf279d5073b12bd1da0237f7a861778a68baa35b9c2bfbed2ce70ed359c27b0bf5015020180f1d0e28b89294b46a61dee3993f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
efdf336c3d3a1adb92b2ad84b9e0ddf8

SHA1
d12684bf46d8efdc7fe65d72974a64f8cfc83aae

SHA256
a3b64fe67ea4be6fd1cad4f43ab347f08f3c05afd11552101ddc5f80fd3e31cc

SHA512
d47956132f95e0f8c31b0d8e8b23a7748b4fd39b6acf746e65600499bb6dac8bf3ba64843a090e41066de86eadd02aeb9c1ebd3ab9cdee4bd9d7867febbb696e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
ef8f201b630ae875a0a86d28c094d857

SHA1
4f172ce3ac0adab43122587766684b15dfa7d773

SHA256
e5b8cdca6f04f71cd492af83ca8730c261d9c0bd07be9131472a6c8aa2c0af83

SHA512
99d86ba347bc2422f35c915fcd0287fbcd1a92225ce65108cdbedd315bf94a581ae4453f4c2e16f49062cc27da7c3ef293423ef9d8789365134e302c393cda42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
3a46030f8ff58f760b66610f48fa02f4

SHA1
6f2b57a7db2cf6840100e9b57d5338662ea5188f

SHA256
0ac85874cc5b7ddd7013f8ab159ca27fb762c06565fa2166a926c6f707f7f34a

SHA512
00baa984545878b4fa1c6f44b779c1cfc4491a4e6eafadade5d3a053bc42a06f5e32351eb37102835d9363092383b694415d235a77ba5e5c004332ee631ceede

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
b3e3729c8df3de676e5abe04e4ba733f

SHA1
a69a796000097e9abf02be62cda6b9fb99d019e4

SHA256
f733ad51c3b6c6fa4c68ca4af64822872ea813d2acf27ffe36c4bb3abed07640

SHA512
62590c81aa30d72af882d6837fb671c2610335f4c25c70cc94e2250cefa9296194ba544418d9d91843da4c5fc63f4a5052236b126fb144208518b0b160b0e461

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57a940.TMP

Filesize
2KB

MD5
e51001326fdb734e7394cf6934f68920

SHA1
74a5c58398f50ab8cb348ab623ab2eabaf5479a7

SHA256
6df4e90ac1fb8ee68b75eb0f6b8a930a9e812999a273e10c5e5bbe176c435292

SHA512
dabd3ca58ec0bb351def0960f104150364f950ec29c33e090afbe542865bad9e08d2a19113b426f512970df237adc0ad5d188ac9c8fb42b17616630d3578d877

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
5569c7e0a076e0526c7add6deb4d0b08

SHA1
8a38c4c12f619479f0686adc1786f2565d4edc28

SHA256
861de6f715efa9ced8539efffa32f293e5602e171f8f96f520f2c2a7373a7fd3

SHA512
3aa7f54f27b2faf24e15d4eaaecd14197ea3b98401ed4ba070ba3b8ca3b1bbab74c823abf2f4b49fe9425cfed19c46cbd2029bc8038f9910d95e8ec3bd4acc54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
279KB

MD5
d800c7fab86073ba95746e77089db011

SHA1
03566ab97b86ee305c60e452c74f858fc4bfda70

SHA256
aebf2e76fa8a49d7bee4bc4e414a0c027fff3df8680055fd096b78e6298c037e

SHA512
69b2f3c8d1e0dfe312323fcc83e90dbf779b25312cc0f76b6580fa71b55df503d725e68ec7a40bcae36ecfe050c9f1dbaaed069f93122c425b003fde96992dba

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
0e9210d3647bdc2f623d96bde7558ca5

SHA1
de909a30f29e504b056ed3ca9bc1389bfdfcd2fe

SHA256
9b084c2aa45e1728f6109803265b3e24aeff8826a64bb1cbd0a51bd07c2d4d30

SHA512
7cec4740f450d85bf5454d8bbb6c30d9b2e12e174d7283f59ddc9ce57f495d7e5db32eeaa04ea06c38030e567daea1b56747ae7703600813d0a0d3d551efa92b

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
b8b74efbdd8aa3129cd84bd39c43ea18

SHA1
67b063447951cd5ae33a86ed67c43bebe4e3e65f

SHA256
6bf987a57b6212c321cd962df091c30d2c909ed44e9f12c5ff1278b024cad6ae

SHA512
90e52ead5c0191a25892e93019b865a94c66288239e4c8d73ab24b24440a18935461b02320df5ec3eaafefca0068752f088bd16f387683605ece039ff62f2b77

Download Submit
C:\Users\Admin\AppData\Roaming\e6ced5014ba38143.bin

Filesize
12KB

MD5
ad5221b8b3b3347c6c2e6da5deb69dcf

SHA1
af2786b30ede2e27d92ce3a289fab7c087ced353

SHA256
c42c1130c5547e51b73ddaaba57bfb9c4e6b177e257ab86d47b3fc471d8336a8

SHA512
53466b52717c4fca7636fb1dd278acf2582329620dbed96381ef0c727cb459afceb606a9ca47caaed27595dd377f2184ca24af5ba81bf62ac9d9f68c4da74453

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
8e8b09dc3bfe9c00b5eaf03b80584ee6

SHA1
ce4386c8615b29be2d31f5cb6aba9c1dff8cfe19

SHA256
16b2895c1fa53e6dc4906ddada29a1b68e0e25c5add8117ebe38c59d7de5d3a9

SHA512
20ba108f09001a572803454d3feff2366c579f03420d5d2a23e163b6918bd1d686ed6b083622d40848c8b85ef363b346e21cfc17fbebf6f09790705d05b0edfb

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
78a1b587d94c4dde8f674f9dcdc0379d

SHA1
6ceef789fdc0a919f18cf6799c1646151bcf8ddc

SHA256
f0e69d4f0977adb0f49274005c3483c31e747840c104451452b448e80d728bda

SHA512
32a16dcac2ceb1aa04ce0dc0c5c153b58d3d9fcdd915aee44915b0b9d2f2cce50c2be6ed5ca21e11d965aaaa1ee30e724d54f55c41f227b387256d49f460065c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
c21e91fbda42583088e26002daf158f9

SHA1
f7031cc8d302920e0778c89781b9b10e0806b588

SHA256
fb23a8067fe1119e3ae9174d65f37413218bcf2d7976696955ced3ea52e538e7

SHA512
1b58becc9a45a5cb11f65858e43db418c6254140220f33c73039ca9fc40156681e1b53b657257686c399484fc072310a4945b9bc5f3d2722a858479c2a36e195

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2f44c3ebe857707b17064ee8b30f5c61

SHA1
8e04742cf4f511753b73c109fdbe7e1693ee7b2f

SHA256
02ab0987b3120bd03de4e9fea9534d4fba2708dd201740d6481e7b9f5bac3a47

SHA512
baae95f4e252f9bd52baeff8695c96b6fd0cc54a911a00178f4585ca236b99c1b00f28e8d96824835221305d8a61fe55a206f2a49e5003f8b890233c5f308a71

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
9279598c381fcca114a9e23fd5cffe5b

SHA1
67596b88755a0a98331f3465350351248601192b

SHA256
60fb741eaa0ba18c3ef62dc54e42f5407896254a0bb0a3b89b6da478cab7a5c3

SHA512
20febbd765c49f926a5bd3c3bbbbdcc58b342ac385de1e66f0eba5a7a4d36628e931b3e71f9336f64ce4acaafbc3b7234744fd1f229aa5b8203110b52116d4e1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
e2a04e0693dd96a450c00f147e8fb25e

SHA1
683e776d4c07d42ca74a2cbe11fe3d1e764f2227

SHA256
9543626176c06a65c35fe2a465c35705f9ad03c4e8b5deb6eb015af40bbdca2a

SHA512
679e598fab74b86816e7ac57043e9664877379c58f97ad06fce9bc1cd1268c573d93bda69b7267a4afd352c35d89d044791bcfc4135f022ebbc307b9002b9a14

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
24565d8757efec11fff6e4b80e183e14

SHA1
8264729752ca03b6c5b44160291ec7a84bb8802b

SHA256
967c7b9543de4079f0058fe9be21432984c4ddf38ca6b1e0b1d905c8f9ec6172

SHA512
c7d1d5409b656d096149665cb0c9c6ea871376a912db200a3362a69d873797f5297e64ba633060a9eb8d6cae2e8d4571275a9f2d5d2b9cdea39ed884e65c215f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
896caa73d09f92c68ba498a950f2557e

SHA1
dc05641b7445f67201210f65a013025e8744820e

SHA256
70e03e56a747d881b876ad7571d7a3cc67f109b1069a950c6ae09de5ea2fef52

SHA512
19c8ef9e00e639af9cecc3d8e3f75f7cbe0525724ea76d5d53d779660499a0b646d1ca7810f64b4e31afa6a9f54b31623b4bfc8d83d07c1c3e0de964103cdb8b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1435775ef9b93ef69b7c1c3b4061f998

SHA1
d7e9a81c9e6c21b4aea64b65087478e57b4dc4da

SHA256
36f3f32657fae87f0330f831fb06c31ba6b241f1b891e7d92c54a958c57482e8

SHA512
b6c2630cab465eda04eb43592c4acb73f108e596f93d41bd6454e406992a0356e47d2ef64684d5e657fc4d19144861210bd1056752afd4120a2a6dc394faf58b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ede6437bd2af87313d0fb611f87f634a

SHA1
774b5bea63d1f141b471612b59a0cab21d4415b1

SHA256
e3cf2853dac4852bb0ac7ab4db316ac5717bb97c71b13aa0cf625c47edb1b25d

SHA512
da61d59e4adefdc64f3764b5317dafa0bb04d6c5ce0b4cd0be6bb7afbe19a13035a5ab6bb1170c8d7261c6e8da14cd864b25520fad02fc5bd0ada15ba3925d3d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
885d07a81b77b4cfcf470ee691d2d3a8

SHA1
4aac5456582158573bd9667bb590e8327a062c9f

SHA256
fcdfd1a06bcb5160d0ee14b0dc550aab1e3c18f5d7e2379c8286f1d40bfeb384

SHA512
4feb857c9be0868c2c7f2eeff34af0327cd812547fa1c7b2a9b61ef05503db26a670c4fea01bf29034a0b2549368cd8a5f93123ecd782a1947c63cd75246a8f9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3e1d7b12ba6fbc0cd9736b88cab07162

SHA1
cfd3eed475bdb713f30ac488778ef1dee36255e5

SHA256
05e769bb59804ebd0c9547039b35aeedb50544fff2d4069eaa3269b9b6c9a997

SHA512
ac0a067636f29f913f054e86defce865947938a6e185ceb98ff0d129baff306e9c55469ef5f5ab9bffc766d3f77f39be964b101c3fca4b67e38ba89faf1f2dae

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
11d7d4b29c2bc1e2885bd75120360398

SHA1
68c52e8b58a447e8ab9c8df46913e2b97850bd97

SHA256
ceafb8974a86b2e447932df58c602f74e6c72a8b019dfb86ba185e1cf2f785d5

SHA512
6eddff438ac104d49160cdd2a4bd7558b4463ba24c50efe944f64368b829270f42ae6073dcac91362441739344b7239d6fab92ad4240382f8f86cab1d61a425f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
4804b1121d53ef955607ac6004914a1b

SHA1
228603e1d9f9529710f4f72aba1c66b94a440cb8

SHA256
7b56fe3e01a688485416af8a7e5edb3b414e9ea0dd50fd3d625745122481c28a

SHA512
ecc5e20e97d3d771e4f625a3675881c09c34c4f505fbc54fcafb52d3e03505976edf971b2dd13249d73df6f86a0cd1c3c97bf0f835d0059cbf7b65c6f863354b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
56bb9025e587fd7776204d80d06376ad

SHA1
7376f38ec69ebe338f5f643829f937080c35847c

SHA256
6beff2fccd783a7cea49069246113532bf4eceb4c4b44e25320eda579a70f25a

SHA512
34ad501a70c1fbb558b8dcb8316de264618327533a7e77234ddf84006a6d3b4b7e49b934dd8be902729d19af1beed5d1ef33e98b7fdd4d8da5697e076e8a6a68

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c240f635ea0481cee76a38de73a96669

SHA1
9f6416be6eb6d942988b5e50ca4acf0f067f09ff

SHA256
5a48f83285c8e36efdc619a8d889a697de1e192947b74d2a446f9c31a97c8aff

SHA512
8dae667f50c36d9795d1778c32c24d5fcae09369f8abdecbe7856ac55f8d5d41e3c65eca5d756805701ddd38ab981195796d6973f2eaaa87b06c4d4ec6bfda2b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
d402c9bb40b1dddb0a00171acd4d06f0

SHA1
4f52fb48833088fbb4ff84f1637ba01ec20799d3

SHA256
a2a9d5ef6bd06775efd6f2cf601d27f6d0d3346cfa616a7e82f9d746b236a0cf

SHA512
29bda79bfc3d05c76129fc3ae9a07ccbe777c5df34a152a0c2614b18cc8a09469a6f592b04b6ad2b53a54b72f9c0fc7ef998f1acbff27551753834e34ded728a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c92d0bd75999ad373b783ec7a13afb44

SHA1
e98780ba9185745f60d487284fb1e174c1494009

SHA256
1694065a88481272c63f16399c114c2828f5c2157ff8c99566215aa188c8fb7f

SHA512
962f4d651a87d90241accb2ad101ec292c1797ec123cb4dee33f5ee60919cbec7d0b10132ebe8bc24fb0b8b723bd459cdd8740d5cebb8d3c71be2f3e8942db6f

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
260b0e3a53746be1616919a463e54706

SHA1
b9072f17d21fda3f40461b4914c6db71da4eba8a

SHA256
fb43de18f8770ea8ba236b039f9921a267775967cea473b62e288161988a1309

SHA512
3963fe59b81b64a12fe5890d0dbc1154c574995dff77133c4a4477d76bf4f6fb6556f4cded428381936ad94494f94e3374413d500b2cf115740d80080fedf434

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
ec41ee66cfe8ff92b279c7fb0791723d

SHA1
80f0f3340c70b4a930110fee51db123541abf7e5

SHA256
b24874ed694e55b8f3f2ead879463205d83a73a0634ff7e02cc9ab554e8a5b0e

SHA512
6b053ccd94aa4a778db40b5d3541b613950bed0996f9fffcd1af34a8126630715ee101a0fe71322519bab784cc156c76dad27588e378094263209a0aae5e02b3

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
7a910da731ce6d25c98300067a8de8f6

SHA1
ae4852450eb75ded842009499ffd43a4f9a5214f

SHA256
fb85cdcabee07e4a8ee243de155f19a7904a11dfc44a98209089aa89902612e5

SHA512
1d1db07f31876c0b091603d473c2f9b892e6c780aa1f3c86162af010da9c36f21ca4fc8eda29d4929871c98066cb382cd53edc7df7fef8e6cb660fd7aff7a79c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
8885d5bda50c870c3edafbfed7633bdc

SHA1
43f64d588ccc67f6a99f73d67b88ca6231e5516a

SHA256
6e01e61474ad25cf76cffa33f489fdefc12022ca87b02acb3ccebbbb55887161

SHA512
f60488aa3f40e2d42ede50be40feca62c25e0f5e13c2ba3bcb0824a8ed65c56d96297b562fb56a2bf6a6d262ae290b31de3787964fc330e1990ba3aa6db3317d

Download Submit
memory/460-69-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/460-63-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/460-334-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/460-459-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/544-337-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1100-354-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1144-627-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1144-369-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1180-368-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/1208-367-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1276-333-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1276-76-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1276-82-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1276-626-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1616-341-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1900-342-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1964-10-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1964-6-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/1964-21-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/1964-27-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1964-0-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/2192-349-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/2240-98-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2240-86-0x0000000001AD0000-0x0000000001B30000-memory.dmp

Filesize
384KB

Download
memory/2624-28-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2624-25-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2624-34-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2624-619-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2912-494-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2912-350-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3424-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3516-351-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3740-360-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3752-362-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3784-361-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3792-11-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3792-17-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3792-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3792-562-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4196-727-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4196-567-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4488-353-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4512-336-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/4784-53-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4784-74-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4784-59-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4784-72-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4836-49-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4836-332-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4836-43-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/5944-590-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5944-534-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6016-662-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6016-538-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6108-579-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6108-549-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download