b33bcd5b79d7a91fc9755923a5613e81eac382a5d9ee7a2551ec86b5677712a5

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
Size

4.6MB
MD5

23ad71d56a678438cf6f598232ddcf03
SHA1

a990f5a8e5e8f69bcb8c689fbf7b0fd224b27296
SHA256

b33bcd5b79d7a91fc9755923a5613e81eac382a5d9ee7a2551ec86b5677712a5
SHA512

98747066cd9255d99d6424d15a4d104283d7184759ca8694e97a7e515e48cbc1c89c1a31618f16b00f1c207c652205c9d9327ace7cc1971d310865b3261a086e
SSDEEP

49152:LndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAG6:z2D8siFIIm3Gob5iEiEnW6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
1552	alg.exe
1944	DiagnosticsHub.StandardCollector.Service.exe
3904	fxssvc.exe
4980	elevation_service.exe
2544	elevation_service.exe
4376	maintenanceservice.exe
1664	msdtc.exe
4472	OSE.EXE
60	PerceptionSimulationService.exe
948	perfhost.exe
3592	locator.exe
644	SensorDataService.exe
3372	snmptrap.exe
4468	spectrum.exe
3484	ssh-agent.exe
4272	TieringEngineService.exe
884	AgentService.exe
4436	vds.exe
1620	vssvc.exe
800	wbengine.exe
4628	WmiApSrv.exe
3532	SearchIndexer.exe
5380	chrmstp.exe
5448	chrmstp.exe
5560	chrmstp.exe
5668	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3be13197c3136770.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaws.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000064e5977950ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001271b87a50ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133645983952654310"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c0183a7a50ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b85ba17950ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000058f8e27950ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000042a2cf7a50ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000add9167a50ceda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe952d7a50ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
2416	chrome.exe
2416	chrome.exe
4776	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
4776	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
4776	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
4776	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
4776	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
4776	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
4776	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
4776	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
4776	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
4776	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
4776	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
4776	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
4776	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
4776	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
4776	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
4776	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
4776	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
4776	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
4776	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
4776	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
4776	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
4776	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
4776	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
4776	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
4776	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
4776	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
4776	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
4776	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
4776	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
4776	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
4776	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
4776	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
4776	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
4776	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
4776	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
2416	chrome.exe
2416	chrome.exe
6084	chrome.exe
6084	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4764	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
Token: SeTakeOwnershipPrivilege	4776	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
Token: SeAuditPrivilege	3904	fxssvc.exe
Token: SeRestorePrivilege	4272	TieringEngineService.exe
Token: SeManageVolumePrivilege	4272	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	884	AgentService.exe
Token: SeBackupPrivilege	1620	vssvc.exe
Token: SeRestorePrivilege	1620	vssvc.exe
Token: SeAuditPrivilege	1620	vssvc.exe
Token: SeBackupPrivilege	800	wbengine.exe
Token: SeRestorePrivilege	800	wbengine.exe
Token: SeSecurityPrivilege	800	wbengine.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: 33	3532	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe
Token: SeShutdownPrivilege	2416	chrome.exe
Token: SeCreatePagefilePrivilege	2416	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2416	chrome.exe
2416	chrome.exe
2416	chrome.exe
5560	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 4776	4764	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe	81
PID 4764 wrote to memory of 4776	4764	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe	81
PID 4764 wrote to memory of 2416	4764	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe	83
PID 4764 wrote to memory of 2416	4764	2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe	83
PID 2416 wrote to memory of 1328	2416	chrome.exe	84
PID 2416 wrote to memory of 1328	2416	chrome.exe	84
PID 2416 wrote to memory of 1408	2416	chrome.exe	110
PID 2416 wrote to memory of 1408	2416	chrome.exe	110
PID 2416 wrote to memory of 1408	2416	chrome.exe	110
PID 2416 wrote to memory of 1408	2416	chrome.exe	110
PID 2416 wrote to memory of 1408	2416	chrome.exe	110
PID 2416 wrote to memory of 1408	2416	chrome.exe	110
PID 2416 wrote to memory of 1408	2416	chrome.exe	110
PID 2416 wrote to memory of 1408	2416	chrome.exe	110
PID 2416 wrote to memory of 1408	2416	chrome.exe	110
PID 2416 wrote to memory of 1408	2416	chrome.exe	110
PID 2416 wrote to memory of 1408	2416	chrome.exe	110
PID 2416 wrote to memory of 1408	2416	chrome.exe	110
PID 2416 wrote to memory of 1408	2416	chrome.exe	110
PID 2416 wrote to memory of 1408	2416	chrome.exe	110
PID 2416 wrote to memory of 1408	2416	chrome.exe	110
PID 2416 wrote to memory of 1408	2416	chrome.exe	110
PID 2416 wrote to memory of 1408	2416	chrome.exe	110
PID 2416 wrote to memory of 1408	2416	chrome.exe	110
PID 2416 wrote to memory of 1408	2416	chrome.exe	110
PID 2416 wrote to memory of 1408	2416	chrome.exe	110
PID 2416 wrote to memory of 1408	2416	chrome.exe	110
PID 2416 wrote to memory of 1408	2416	chrome.exe	110
PID 2416 wrote to memory of 1408	2416	chrome.exe	110
PID 2416 wrote to memory of 1408	2416	chrome.exe	110
PID 2416 wrote to memory of 1408	2416	chrome.exe	110
PID 2416 wrote to memory of 1408	2416	chrome.exe	110
PID 2416 wrote to memory of 1408	2416	chrome.exe	110
PID 2416 wrote to memory of 1408	2416	chrome.exe	110
PID 2416 wrote to memory of 1408	2416	chrome.exe	110
PID 2416 wrote to memory of 1408	2416	chrome.exe	110
PID 2416 wrote to memory of 1408	2416	chrome.exe	110
PID 2416 wrote to memory of 3784	2416	chrome.exe	111
PID 2416 wrote to memory of 3784	2416	chrome.exe	111
PID 2416 wrote to memory of 4352	2416	chrome.exe	112
PID 2416 wrote to memory of 4352	2416	chrome.exe	112
PID 2416 wrote to memory of 4352	2416	chrome.exe	112
PID 2416 wrote to memory of 4352	2416	chrome.exe	112
PID 2416 wrote to memory of 4352	2416	chrome.exe	112
PID 2416 wrote to memory of 4352	2416	chrome.exe	112
PID 2416 wrote to memory of 4352	2416	chrome.exe	112
PID 2416 wrote to memory of 4352	2416	chrome.exe	112
PID 2416 wrote to memory of 4352	2416	chrome.exe	112
PID 2416 wrote to memory of 4352	2416	chrome.exe	112
PID 2416 wrote to memory of 4352	2416	chrome.exe	112
PID 2416 wrote to memory of 4352	2416	chrome.exe	112
PID 2416 wrote to memory of 4352	2416	chrome.exe	112
PID 2416 wrote to memory of 4352	2416	chrome.exe	112
PID 2416 wrote to memory of 4352	2416	chrome.exe	112
PID 2416 wrote to memory of 4352	2416	chrome.exe	112
PID 2416 wrote to memory of 4352	2416	chrome.exe	112
PID 2416 wrote to memory of 4352	2416	chrome.exe	112
PID 2416 wrote to memory of 4352	2416	chrome.exe	112
PID 2416 wrote to memory of 4352	2416	chrome.exe	112
PID 2416 wrote to memory of 4352	2416	chrome.exe	112
PID 2416 wrote to memory of 4352	2416	chrome.exe	112
PID 2416 wrote to memory of 4352	2416	chrome.exe	112
PID 2416 wrote to memory of 4352	2416	chrome.exe	112
PID 2416 wrote to memory of 4352	2416	chrome.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Users\Admin\AppData\Local\Temp\2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-07-04_23ad71d56a678438cf6f598232ddcf03_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8fe9aab58,0x7ff8fe9aab68,0x7ff8fe9aab78
    3⤵
    PID:1328
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1928,i,7536717258845352472,8142500430670354470,131072 /prefetch:2
    3⤵
    PID:1408
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1928,i,7536717258845352472,8142500430670354470,131072 /prefetch:8
    3⤵
    PID:3784
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2268 --field-trial-handle=1928,i,7536717258845352472,8142500430670354470,131072 /prefetch:8
    3⤵
    PID:4352
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2796 --field-trial-handle=1928,i,7536717258845352472,8142500430670354470,131072 /prefetch:1
    3⤵
    PID:3160
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2804 --field-trial-handle=1928,i,7536717258845352472,8142500430670354470,131072 /prefetch:1
    3⤵
    PID:4760
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4300 --field-trial-handle=1928,i,7536717258845352472,8142500430670354470,131072 /prefetch:1
    3⤵
    PID:2508
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 --field-trial-handle=1928,i,7536717258845352472,8142500430670354470,131072 /prefetch:8
    3⤵
    PID:5264
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5380
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5448
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5560
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5668
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 --field-trial-handle=1928,i,7536717258845352472,8142500430670354470,131072 /prefetch:8
    3⤵
    PID:5552
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 --field-trial-handle=1928,i,7536717258845352472,8142500430670354470,131072 /prefetch:8
    3⤵
    PID:2016
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 --field-trial-handle=1928,i,7536717258845352472,8142500430670354470,131072 /prefetch:8
    3⤵
    PID:6072
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 --field-trial-handle=1928,i,7536717258845352472,8142500430670354470,131072 /prefetch:8
    3⤵
    PID:5212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2552 --field-trial-handle=1928,i,7536717258845352472,8142500430670354470,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6084

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1552

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1944

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4356

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4980

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2544

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4376

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1664

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4472

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:60

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:948

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3592

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:644

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3372

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4468

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4192

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4436

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4628

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3532
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1060
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
25c231064ce46881541844f57d7b4348

SHA1
eee0cd98edef26fa5ddc59bf469d674c3e36e1a3

SHA256
22f72e29bf08a51a56facef1defcf5dd5449e0d90e41fa5c5e4e6e646808bf8d

SHA512
4543734470a8ff31aeeb052b2b792d291f3211e5cf29ed935de82b31206b35de33910b808d1ac8a13278aa10698fffbe36d365de99a787563e7554829aec18f4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
37d182993257593423318ab2ea73193d

SHA1
83d1c61efbdc1a38875779c880b5743a60b5f4c0

SHA256
c8eda690e14993e289cf7843c08b1134f26f486d1b82edcf1fdb2acb0ec37e95

SHA512
22d248ae261d2a344c51ae81eba0ac0cb06d5f7196240c6ad94f86fe87ff7650874401d9afdd5636c9396b5616471f0d581aae886af4d413e80369899e3e23e8

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
593f9889b377042b867f6ba0804975fa

SHA1
2ca039984f4dacf8c1ca330e98f1ad531f41362b

SHA256
a9a7d44343dadde809b554dcd57d01bca88363c4087e3a232fbfc3a861ce1845

SHA512
c19f97aecae698ccda91c1b5121fd64d945cfc210a05d3a02021191a7cf4a196163f2ecbd3dd30358be3ed2691c6cf63a3fcbc61efc950365e79ab811d4fbaa1

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
cb9bff7693195b5c756b320ae3ea1c80

SHA1
f4ff56a9c47ba8ce06ec5b43e91af279aa43d7b9

SHA256
ceaf855f0ec2948de51393f8f51f6448e688ff88534c0f91fec7e2a9c78fd66b

SHA512
ea5ec38bf1f3fc6f15bfea3e119a0ce75c643836158ae40d3bf4b1887951c756f0ccbdc073f2d98a1d443f5cbbc1835a53701503fa6a3bcab7c884229419458e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
97e9085c522cabb6322a3ab9e231f772

SHA1
554a9d6b686b234e369d35e1bcab4997ea646c45

SHA256
11faf18b4b0e52d35fe664fb07f7cd2b531c2f8beef42c81d43464542e96bdd1

SHA512
08b98e03d48780878407469388f61b08d160a7d9e0dec7fc5eb037a58e1390ada993b4d435b4335e187890b8e087cc2f93631ee64f2ec65b4721a1156ec093c7

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
adb8a0e85aa54267e0abdb114ecc758d

SHA1
a22344f299fe9729164a73b69afeae090231f70c

SHA256
a15cdc03675b40574a1b69d034296542bb9d5dc02fe8bdf64f050be8562e9df7

SHA512
154792b9ad0744793014d9f03c0563e2718c6a6a500ef99c006b0e5b548ed89393d0ac2665ed1b6138f2a882b94cb61f94ea42d319c9dd05ce9bf7836dca67f0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
9bb698612089560673022e4cde1e255c

SHA1
c76dd14f6b76b00e7971f1fea552494ccf6b8990

SHA256
68a5d17204cc4f9157f574a98182522843b670e279db5e53074d00a1e3af8def

SHA512
e491c3a0db9c5b0b22192da48b870670acb28bf207213c42f439cd46ff1de5df083e15bcf5c21f2c90e3a371a89ece28915e0765ffc3bfbbccc6ea5ef9612862

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
6402f399a301f1291743f4579f81ad6a

SHA1
aa51e8d9fe9ed38f4e5eb0a9ee0985beaba30cd5

SHA256
530b6547e17bc127547d7cd6410fb709ee70e6b54892de07f2e080abe0f8c92c

SHA512
1768db2955f70464106bc4a83140493936e5ff983dbef5841c6683ea38febc04d25df21502b7e8be76b73a04e57e120a80c4f95101e9f7f924f81991a4d388ca

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
00f4945cac2c396522c5860b6c67d717

SHA1
247f9353f9fa10cf52bf28ee9367d5afb758f6e1

SHA256
d80905a9f05526a1944cfa3239358abc1280a2cd1bef4b46bee403082bf5ba06

SHA512
014ec902eb7223855e016d4487d1f4501eb8c20812f98c3e03167336768f6e2e1bdd13f0b21badc48c6d105c9890725081bf23f7083defc9f5165cfc4cdd36de

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
16897fde62fd0d1bdb53ad8e7cb7fb07

SHA1
7827de34d6fec0ce7b41ecaf2a4bd92ff8841d99

SHA256
c8a69bae4b3565c38bb06b53e533f86eb5d3af7c03f158e2e9e100c25316918d

SHA512
16bd0940c8b04af583e5bcee85f40798748a4daff12b77e097fb212af72ccdeffd50a84f67b0f20fd49d9422cbbaa7f4cf7b592ae18de96daa5e475ce8fbb5bc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1d44e552831a395550287d6cbcb9ee3d

SHA1
18bca2d1bf5af8b08ce9870a2522d29c0000e824

SHA256
3ae5651073db805e7c0658dc257e20e985c7a9c4a37a1e53c7cbc0557b6033bc

SHA512
ebe32311e4faeca56703c52fd1833e8afaba7632aa24aec0bfc1d50754fb4e2d81bf6711a51cbdabcd709377f048c73026cb52b700789bbe59be3d5ab9c83658

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
55557687ed6b6c2c47ea2d8e7cef1dbd

SHA1
21a8815f2766099c5fefa6ada1b2ed39fa3f2872

SHA256
486212a40ada08e10f70d5a3edd98a569a1b1044322e05584821f77c9dadfa4e

SHA512
cec5ab7c914db71ae65d249774c854acc01faeadc1f41a90ce57c1fa03e308e2f06fa8f6a7d60d33e97788169a9b757133dab5d6eed2947bb68a43bac8d671e2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
12a6f90b40f2b53c4c2cad7497152dd4

SHA1
e84c40a12c3a46cc79b3b3d8abc66f55203e5014

SHA256
71e6e545b19a9b03ed6ca468d2c47b4068428266312fc6679280db3f6c570e47

SHA512
7a01d12802d13894666139a3e85d1530c59fa67fa27c8a33d0892413032abd55db3b6222c538f5c5844a01ba5f74d390a57db68228764a930d4a9c2c22e9ade8

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
c7ef28d23c914d71dee7322fc6c20bfb

SHA1
5d4523682d4e5c9d022d2507e8cd93eac60ba704

SHA256
96c90987155d6463433829c81618119b05725004f7dc0eadc50753912046fa12

SHA512
14ae9408494b1af137dc6c65982d40103bbe9e8ad17dff501b7e806c14bf41b3c498294b8b9bca3480ce0d17300a13c6a7da767f92bc7f0cc8252d429bf5a007

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
9856a5489b9afcccc7e0bfe11a6affa7

SHA1
48555eec95f7d7161efde210a8bd0657b83f7dd1

SHA256
34751d3d8ece5d542a046d030ba1f5354eb45bd6a338ed0b05d7fec0c9d20408

SHA512
1ef90d59e2f516526365d9c5881a7bd85026f2fc5c937987c02b8d8bb2de5181f24c1345bffa6688d4c33a00e4dab1e9070dcf547c2cb332bf2693bb5ebe7493

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
49eb09b7dc1605659a7c5471525255b7

SHA1
397e0d42efbfb240a3276a302be005043ebc0c8c

SHA256
0aee06947ffed17827d9f2e8b7d72c897ddc50742c9db9822849a27306cb124f

SHA512
c09f4ba7cff17afa412ebdc0647e0fc7cfcf750aa42b766d48eb36e5cbafc9e15990701e0ca986c259d83350a1cc68dc150de0b206dfbe99e187c10928cb75f5

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\837e83a1-c9f8-452a-9ad5-a6a55395ce75.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
b77d51cc8d36cc9851eb6dedffe17ded

SHA1
7f2a6e14ec9b624c4e4c0b9160026095c85cb65a

SHA256
bf333af9e32ec5accf413935eddc24f7bb0be514c5c8c4c7504d8c0d45813962

SHA512
5a5fb0184419005279f79772dc447d4190f76d4739767b02033db4544472507784d4dd0cd89cd48da14ec154da509a6de694b904b774e04076c75ffe251b0113

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
757f9692a70d6d6f226ba652bbcffe53

SHA1
771e76fc92d2bf676b3c8e3459ab1a2a1257ff5b

SHA256
d0c09cff1833071e93cda9a4b8141a154dba5964db2c6d773ea98625860d13ad

SHA512
79580dd7eb264967e0f97d0676ba2fcf0c99943681cad40e657e8e246df1b956f6daeb4585c5913ca3a93fdfd768933730a9a97a9018efa33c829ab1dea7a150

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\a4d87119-1f2a-4771-8d59-d0826c64ad99.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
820d44393cd45372ec404e45e2878fe9

SHA1
184a767408683038c4c4b2df9ebb20a412aca0a4

SHA256
e96d4c42164a64d19841c41e8fb26c18a559a5f415f7e83d0792ec0cf0d587c8

SHA512
16194da3d320640e97395f5e4e8adccb993f3815d2b694b5bf7bfac4b9007325add00763a4f6f1bb90250d178ed0b73dc22f18bd95719559807dd036fd1be6b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
7c0fc13f469ca708ff5aad44a3ad9ac5

SHA1
b980423cdce64d4d564a7b75eed82ee413334b16

SHA256
0d88a6775301fa04f4ddf9b7a56d10e8b111a0f760e8053d18cb9438fb63110c

SHA512
b44416cefba9db23a71813d83cb6705e0ec8673a6a3fb5a615abd8e98c965d6c11c9b836f01a493b92746a148319d72d8dd0fea289330528939fd632edb1455b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8c3d76cb18185977431f9ab6a1f28f6c

SHA1
f66fc752c335870abbaf1da52953ae65f7110b79

SHA256
333ecf0953038a50dd346f5c331d6345f6a8daa622b1714c38e5b0990f2f510c

SHA512
f991ad4b4973a453a6fb5e9283695b468855cc0df9a6651560d1a00ba5d9c4b80967772e1f41c916ca99c7ab55fd5e5a489754ecec1da1d4855f570d8eb6a2c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe577be7.TMP

Filesize
2KB

MD5
6c38709f2b92b4197d45f6df3df81cb9

SHA1
92d1adb3512f085dba8c03ea68d926704ebbbda3

SHA256
d5bb9e1c53b6d6dd67dcfdf3963d7d8b0dd3094ce6a86851e8b8ab7d3d6f235a

SHA512
3cc01f22a75c283dd55a4fc9b02211776bc1246ae7787ffeee21a25d0ea8ddaafbb70cbe8d0976356fcff59c9be8e9c178c15264d2a44df3653bb1e03fe41bf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
81afa61eb498c00e23b1dc47512d9b9e

SHA1
203cf43dc86d4b72a26eee4c52a6280032d31ff8

SHA256
8bd3096e15f5f7e8b1aca87150fc4fabc8ef578190187957dabd0741f1aa2c82

SHA512
13724cdca01f80c4a6fc410e0594f4282302d00cf694b565c28bf607a73288a03ab98bae6bb355ea792e003ac62075ce591dcd4c6e24213eab68eafb787697a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
9ddb8d2e1cd642d27604b46817d7825b

SHA1
fd88445481a538d61c6d8dee5c80b94a950d7334

SHA256
aee583a90dc16dc39e11a156c50f7ba5ea487e9a9dbec69e7d9ecca89cfb7eec

SHA512
7611c6484f532f516e0879e963d664db85b4a03770f1d5ef7fc14875d89a31f39a55d243d6555f9c6911a9c9cd91d6198196f81dc33e7515213325ce172a5de5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
91KB

MD5
989187baf4cc08409affc497d626d7b3

SHA1
68ae1981b5ea48e417817397126020ed4b6014de

SHA256
c06d27949050bc383043766da7eb06377c5c4d94217c13c9a60c4f5e67a10ac1

SHA512
7fba7030e5c20295c8d04b1c2c20386821a155ea691269b596fd59414d06e1f974b74c839f065b86b1feb375dd2f7cd99209ed984017fd1b1a57704bfae252bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57f117.TMP

Filesize
88KB

MD5
6104a87c461296e427437d0c342f19c7

SHA1
2da05c665d7e7f7b272a91ecdf9cf643aa120474

SHA256
9fb35d8d0de2777f357025a72aa8e921bc2a491020d53585aea22ed05c07ceea

SHA512
4d9440e633b797dfc5e889df1fd49d3edf6e0a2131d64fd02e179a7c1ed026b1ae4b1c6b233188ad9146fb4b22bef903155ab815411bfc31ab72858c55fad15c

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
a414c5fc965ee55288c03b49240d1e86

SHA1
6adafa9bd1e1c0b54a8cedf39df10177ceb9d0de

SHA256
90f188177cd3979e7b3f47fa2cc95e7f908368dbf56a37812671a34a68a032c8

SHA512
e4d0e4b812a7567d9211c62ff36b6e96a4fdd18a29472227a8624ebe0507d4d9149f9a3b752377ec7f0b2265b1d653224c0494a355e26b0069c87100cdeb65a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
ac1d04c12118524de02626c7e9b547a7

SHA1
50bc2a9e60adb4e7be962b13074fd447d5451bd4

SHA256
f878d2b21907f3c45cd707e76d4fe75cdf3199c2683f54740e52b4d2e5289870

SHA512
a684f55ba5b20aa7948c4c3e51c5df60e9e2e2e2457b475a430ed81ccef6e90215ddcead4fd0ae36f6b9d81c0445a0b3f87d9d2a5233870d1719f32556dcf2f4

Download Submit
C:\Users\Admin\AppData\Roaming\3be13197c3136770.bin

Filesize
12KB

MD5
dbf4d1342d3fe46da2f211f5c94ce27e

SHA1
ef942b0186d2b02a2abc926853e967625dbbafa3

SHA256
7f8b7b19baddf8f758065f1641f50a2c4b3cbabc10659eddf25c2bdbdcef53bf

SHA512
7887493dbd57543f49ff5b08f860a8322bf9655a8e4931d93c88164ebc258a8e53508ba6b40d203c3aabd0fe85e07b40ba01d46fb254ae30afe970cd49f22ac7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
492262806c5aaaa9a52e789b333f4e6f

SHA1
1196c3998f0df0934e42f9c971cc279c2b19da51

SHA256
fea215d3725bb55d58e3c06ee5c7bd02371f8a38346de0fcdc93188e39f86bcc

SHA512
0813514c2552f3673bf4bf5de4c78f92557e3c998e796a87f9ba5e8ad396d73a6d094bbc3ce941fdb86096433c57f00e1eb641bac1d13ac7d3205611f5e25cd1

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
816286b401e9b44da848651c2f5a1289

SHA1
db6466bd8bef213d65c10a0d3da85fc07c2cdac7

SHA256
ead781783f364c111fda273333569fecd9bf823879b87b269102cb9f8dc1add6

SHA512
a81b61411fb9f465c275494ab0d287ebd64bfcd4751de2229bd6b81c97a4cf4f8a5675cf9d8277e150d22955823726ddb54812b975b6e3b729e5c3f61835e3bd

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
0edf8b292c40bd44439c2211b7c881c5

SHA1
121cedfe3274a79fe2a298c05d0883108f618bc9

SHA256
a5ad30cc822868f1cc5dd2ba7916fc32417f7d70c86e401238d492d9b3804589

SHA512
e9f14c8eba2aef86e27e2bf005a905ca89e77e3bf871d10209bcc1bbd3c6cf90f370390e4b6b311e77ca69a048c99907d6333c34fb5299d7bb822c5ecc157e29

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
06189d29fdbd74293a8f46a47dbde97f

SHA1
d16d0c019bfd651eebcc993fea5d6010083bc598

SHA256
2cdc5f1300e80a0612e7d30b5fdd3cb249d7cb99c0f86a073acb1e2b8cc983e9

SHA512
a3eccee2d7694f249056efb132729d278fc21ba4f663a51454229eb9e0b1dc453dd1a0eac865080a176b66875e792e68f756066f4c5000474d75797d69c245ec

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
2b33f49feedc3b57b1e972cbd16d373e

SHA1
95ec61073f95690883804084f898eee6931d25df

SHA256
4348eeb6f085ec79781db651cbbfc33d33bed7aa87497a11fdc46d3581a3ba96

SHA512
e58d71aed45938ba81745b6a101a8f374f607ea4d25cac976d924acbed725e0585cab5e4bc6c87cc50823deaafd802d283b0798282857e4c50052b3398089e2d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
12588f13bc082f10c109bd6c93ec3fb1

SHA1
4cec93fac68c7011db421a7f790be3c312ee20a8

SHA256
3e40707180d836489e85224270b0030b1543e04de51703d700c018fb6ef1037d

SHA512
9a31a694692d2c33661b02911e7587febf35ecd1f6fb320b7e334f4e5571d27e7ff24aa36a658ac35433e0758d953c23f466a533d9e2682074a3e981e61b9279

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
23a80589a9de6815f6ca5d3649a64c86

SHA1
991897b543e1ae448992a631cdf2c051efd6fbdc

SHA256
28bc5fad9cd2b2034e85615c219b6d0c246fdd522b8fcbeba81cf0517bac57b0

SHA512
8a52a3cf0d249acd064700799063ab28ba4fe62598f7381c229c84e4174447d89177eae86285596b2ca9e5a136b0c6041315450abc2c5e4749b5719219183554

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
37e815c6016eccf9692303f76fb88625

SHA1
39ea4efc7f887e993a384ca44a7e5cbe1f366961

SHA256
ddc7815dab252adaf72bc5a25a1f93616a856cb1933c393da67e36c34f413594

SHA512
176d96c46199c83c2abd64164080fea7fab4ccfe9eb329db9755d30b0b267b1dc5e66064c8b7794d4c7aa24f4cdeb55ae70b22134730ab853d3bcaea84951a00

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
92640dc66aad281fb3cbc2abae7cb93d

SHA1
6c8377622365f0bb3c0675ad0fa7300315fd61e7

SHA256
896db7c19a3f98dc1bc9ea65a384d16a844e35456efa5a96d939e6f09f26260c

SHA512
b5b9a19f8b3fdafbbb65c3578a81cdadd382be06e6def77a315a27197bb3006066eb9270a6a94fe481132fd50b8f69b2fd5a20b11be342dfb305592ef30154df

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
45276a8e76a45d3a4c0b9f7f644d5610

SHA1
48fbf3a22eb0b12f8368c898d42016e571145909

SHA256
9e13d989c5b9688610e63bda999e76c62212c91fbba5ac2d1ba4452863c9f72f

SHA512
f6b01e808e9212baa4d0baab31a19cb08133211ead6c378c29c42a72c4c756c25f9b20654d6e08a89beb23e26deb3ff26657d9be5d1b56377e01e044efa0e6f0

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
fe4f32a2682c7e9a365ff117bc04be3e

SHA1
1ab21d136409942a548258e042eb162de3356817

SHA256
519a56fa9d14ee70881b45c10954dc1f5c004b92b4d7c0e5382a6852f3a9983c

SHA512
f87cae38132af38d06237242281c6c115c7c2f8d94c97b7c4ae76c329f09cccaccd07aea1017ee325cd06dd035a8895c44e8b10b2c6a1fd16babd924c429ad88

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f11cbad326222e50fcad9b87fb5a480f

SHA1
a646e49ce7b072c9d35da2690f337d31c05069ff

SHA256
92ccf17220770fb0e9dc00180ace90e0079fecc5d9c5f14763cd5ccb4cc540f7

SHA512
ffdc36c90cfbed7274233765342f8718ed5973d3a7ac5c33a43ae1161a1ddcd92c34fe88e090332e3063cedba54bbd77d016b7fb0f766b10d83b2a79f7bbd1f8

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
1245807bcf30300a5c3e666751b133b0

SHA1
3a6c66f00ffd8c97125adc3a20d5eb96cc7b21cc

SHA256
61925e1f5c046b8fd965fe944f0e3a9be184d2425206a104660447b9e29c3272

SHA512
5c5cb70692e023bcb6a3dd3afad32a1b636bd47a11b972d02cf992aac8a974b6e087bb304d55ee7afaad0c90058371e9be1edff91dbe3305b196f614fa96606c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
143616be0abcc5f6e241e9b51add2930

SHA1
4fe5eceb5c74cd450f26aeaad28354bc9f5da205

SHA256
fd808a5e81d5db9e4dc0bf1262079f6fdc342bb9997723f0a67037dbed028c93

SHA512
114746c540df3e7a21334098fae09b1f7bf0e7c9acdb7ef8f4b5112d4e5917f2fd43981b9ec51128cb472a8e6cbc768c02744741fb667e525a5914cfd8c884f4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
43fe951da74d2584e44f10e7d44bc775

SHA1
96ffdf6051d0e3fcf5276571ecc5eb748418c796

SHA256
2b703c98b0d8f6655d0460be3674e3161ba9dbc014c1efcf595fbd17fb4cb7d2

SHA512
a3914d4ca1d1d9d75c6ad5c0863b2b477213d48df4063b1e5c8ebb337aaee9cbcb5a1d09178203c7c7b480276d26fb1004c9f22dded2d9d1bb4a32e767f34976

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
8df5f43c8c6369be656322dabec734ad

SHA1
a39285ea0cd1803ed884aefd4bbb594e9d98c95f

SHA256
94bfbd1f5792ff296cdab838c5f650a7f07316ca5e9fa15299ecc1232f29d6d9

SHA512
90008ec3bfd1eb41ff3d311a96eed5bc1597d6e7244d7e63bc36e16333472700199ce87f4ddc1cb6a199ff3a6626f3dd91a47ce8ae287a29b4299297c395d8b9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
3e2e41ff4a82195180c405af9159515f

SHA1
e78ddce99f64fe15f7d66d930fe474f048f65137

SHA256
ff7775960affaad504b7a89b0b278255a7d1d87371b3279f724e242dfb4d82de

SHA512
afc99db9f6e43fdfd76a09561e0601c0ee29fb91f97c861bbdec1af4021f70fa6f7bc52353630ff147c7e77ca2fabb4d5601d04e8bffe650f29a680888aad7e9

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
af2ead4ffaccbc5ff3a0e4cac431a7b4

SHA1
46e5af60fb9192d6e95b8695d305e9253f2222e8

SHA256
240cdca077dd32858aa40dc22b8ad57122efd52df3b7fb2b7befcd014a3e282f

SHA512
18368f9b11b5592080f264bc5f0a01936fda424f020123b8547547f599e923f400341ed960bd3cbfdc58842538d439a21ba0dce51b30309eea667a78deb27e7f

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
8323eb783d4b3475bc1107f7b22fe30a

SHA1
8b61ba2d4ceddcce64913e45b0b3aaedba641153

SHA256
b04e4a8229ad76f418899a184586a34f1da04653efdd8f0386b76fe7282bd7c4

SHA512
a6e5fa59549dd9f848741b7c5e0e99e3efd1ac639e61a1a430fe7a62e6f13bf625fc22d619b29e9319f0bddd46eda6bd61057d4afcde7c846a72bf6e4ef79972

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
60c356e5b803fe6abbf31cc1f43aa4fe

SHA1
abad5c1ceca1fb576e2c41df7d6977fa5b6a210b

SHA256
304b4caa20e882e26cbf1541ae3b7d5fe6b08efa5cbcf542d3e54c2146bdf44e

SHA512
c26b9563efa4673876b06ea7424ac3816ab2671e17637d9b6b2cd3f5e2b9da202d0947d7c06792a91bf536f0a8b3517910f47ddb887adf5d233bf850753d9b23

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
13596f00dfc12cb983d48fe7d11df1d4

SHA1
7daecf38907a770b1de6ebc6df29e6cdd8db05d6

SHA256
9ba3a38f11184c4f41e3f831a1eeac22728188d86be5306d85f1200ee8e6987d

SHA512
4288d2bb4135a370cd04c73d7acf8bf41c53f47bea27f5cc3bf34f6fbcba92b9d578ec06de8ddca6d35555cdfb55f76f3a79f0195a813834b8c2276fc61748fb

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
33c9212058584297048945b07b29ea6f

SHA1
7c7572f2d7cece0b8baca525e1dc1f42b99775d2

SHA256
b40b844109dd11605b81c7f6d751bb0a63e783d9d970a94bd8454695a0f5bb21

SHA512
ca9f7345be0af00cc76e5098f255ac721888195902d8d5c8791a6670478b6335442fb3571f747edd51097092c3515b5dcd67c0fa4bf33dc51ffeed00e63391bf

Download Submit
memory/60-318-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/644-604-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/644-321-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/800-328-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/884-225-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/948-319-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1552-31-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1552-569-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1552-21-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/1552-33-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/1620-327-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1620-679-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1664-316-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1944-47-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1944-55-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1944-43-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1944-671-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2544-102-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2544-678-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2544-85-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2544-79-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3372-322-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3484-324-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3532-681-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3532-330-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3592-320-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3904-65-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/3904-59-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/3904-99-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3904-88-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/4272-325-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4376-103-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4376-107-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4376-91-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4436-326-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4468-323-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4472-317-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4628-329-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4628-680-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4764-41-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4764-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4764-9-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/4764-0-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/4776-29-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4776-548-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4776-34-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/4776-12-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/4980-69-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4980-360-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4980-101-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4980-75-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/5380-594-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5380-533-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5448-684-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5448-544-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5560-559-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5560-583-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5668-573-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5668-689-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download