22862fb167c091cfa01e35188e464ba631f58b1d2ab6f4de36bdd1664567053a

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 07:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
Size

5.5MB
MD5

452f9931b335e0b7e4b34aa7aa9f37d5
SHA1

6aa5c01336893ace9dd1c1d74018064ed31ef1e1
SHA256

22862fb167c091cfa01e35188e464ba631f58b1d2ab6f4de36bdd1664567053a
SHA512

d1a93efceefa582bc2fcb2eaaabc944565043d019dea0a35ea6fe4569ce705a9b0508e6feb7a65df1b36414530fc8787b30fa876235ae9f1687f5ec26941bdb4
SSDEEP

98304:WAI5pAdVJn9tbnR1VgBVmcRVlbnP9WXW7H6C:WAsCh7XY1HBVH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 25 IoCs

pid	Process
4776	alg.exe
4144	fxssvc.exe
1008	elevation_service.exe
3840	elevation_service.exe
468	maintenanceservice.exe
1140	msdtc.exe
3592	OSE.EXE
3272	PerceptionSimulationService.exe
1460	perfhost.exe
1992	locator.exe
3636	SensorDataService.exe
3240	snmptrap.exe
1356	spectrum.exe
4324	ssh-agent.exe
5092	TieringEngineService.exe
712	AgentService.exe
1768	vds.exe
3496	vssvc.exe
4036	wbengine.exe
4312	WmiApSrv.exe
312	SearchIndexer.exe
5180	chrmstp.exe
5292	chrmstp.exe
5412	chrmstp.exe
5488	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4e4a346b92844182.bin	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aba6396608d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000290ddf6508d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133648972895270679"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000be4a9c6508d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e8f6966408d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4ff4f6508d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000437d516608d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d0849b6408d1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004163336508d1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
5044	chrome.exe
5044	chrome.exe
1000	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
1000	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
1000	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
1000	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
1000	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
1000	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
1000	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
1000	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
1000	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
1000	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
1000	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
1000	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
1000	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
1000	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
1000	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
1000	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
1000	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
1000	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
1000	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
1000	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
1000	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
1000	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
1000	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
1000	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
1000	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
1000	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
1000	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
1000	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
1000	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
1000	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
1000	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
1000	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
1000	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
1000	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
1000	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
5476	chrome.exe
5476	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3216	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
Token: SeTakeOwnershipPrivilege	1000	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
Token: SeAuditPrivilege	4144	fxssvc.exe
Token: SeRestorePrivilege	5092	TieringEngineService.exe
Token: SeManageVolumePrivilege	5092	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	712	AgentService.exe
Token: SeBackupPrivilege	3496	vssvc.exe
Token: SeRestorePrivilege	3496	vssvc.exe
Token: SeAuditPrivilege	3496	vssvc.exe
Token: SeBackupPrivilege	4036	wbengine.exe
Token: SeRestorePrivilege	4036	wbengine.exe
Token: SeSecurityPrivilege	4036	wbengine.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: 33	312	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	312	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	312	SearchIndexer.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe
Token: SeShutdownPrivilege	5044	chrome.exe
Token: SeCreatePagefilePrivilege	5044	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
5044	chrome.exe
5044	chrome.exe
5044	chrome.exe
5412	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3216 wrote to memory of 1000	3216	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe	82
PID 3216 wrote to memory of 1000	3216	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe	82
PID 3216 wrote to memory of 5044	3216	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe	84
PID 3216 wrote to memory of 5044	3216	2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe	84
PID 5044 wrote to memory of 1948	5044	chrome.exe	85
PID 5044 wrote to memory of 1948	5044	chrome.exe	85
PID 5044 wrote to memory of 4656	5044	chrome.exe	108
PID 5044 wrote to memory of 4656	5044	chrome.exe	108
PID 5044 wrote to memory of 4656	5044	chrome.exe	108
PID 5044 wrote to memory of 4656	5044	chrome.exe	108
PID 5044 wrote to memory of 4656	5044	chrome.exe	108
PID 5044 wrote to memory of 4656	5044	chrome.exe	108
PID 5044 wrote to memory of 4656	5044	chrome.exe	108
PID 5044 wrote to memory of 4656	5044	chrome.exe	108
PID 5044 wrote to memory of 4656	5044	chrome.exe	108
PID 5044 wrote to memory of 4656	5044	chrome.exe	108
PID 5044 wrote to memory of 4656	5044	chrome.exe	108
PID 5044 wrote to memory of 4656	5044	chrome.exe	108
PID 5044 wrote to memory of 4656	5044	chrome.exe	108
PID 5044 wrote to memory of 4656	5044	chrome.exe	108
PID 5044 wrote to memory of 4656	5044	chrome.exe	108
PID 5044 wrote to memory of 4656	5044	chrome.exe	108
PID 5044 wrote to memory of 4656	5044	chrome.exe	108
PID 5044 wrote to memory of 4656	5044	chrome.exe	108
PID 5044 wrote to memory of 4656	5044	chrome.exe	108
PID 5044 wrote to memory of 4656	5044	chrome.exe	108
PID 5044 wrote to memory of 4656	5044	chrome.exe	108
PID 5044 wrote to memory of 4656	5044	chrome.exe	108
PID 5044 wrote to memory of 4656	5044	chrome.exe	108
PID 5044 wrote to memory of 4656	5044	chrome.exe	108
PID 5044 wrote to memory of 4656	5044	chrome.exe	108
PID 5044 wrote to memory of 4656	5044	chrome.exe	108
PID 5044 wrote to memory of 4656	5044	chrome.exe	108
PID 5044 wrote to memory of 4656	5044	chrome.exe	108
PID 5044 wrote to memory of 4656	5044	chrome.exe	108
PID 5044 wrote to memory of 4656	5044	chrome.exe	108
PID 5044 wrote to memory of 4656	5044	chrome.exe	108
PID 5044 wrote to memory of 2552	5044	chrome.exe	109
PID 5044 wrote to memory of 2552	5044	chrome.exe	109
PID 5044 wrote to memory of 2696	5044	chrome.exe	110
PID 5044 wrote to memory of 2696	5044	chrome.exe	110
PID 5044 wrote to memory of 2696	5044	chrome.exe	110
PID 5044 wrote to memory of 2696	5044	chrome.exe	110
PID 5044 wrote to memory of 2696	5044	chrome.exe	110
PID 5044 wrote to memory of 2696	5044	chrome.exe	110
PID 5044 wrote to memory of 2696	5044	chrome.exe	110
PID 5044 wrote to memory of 2696	5044	chrome.exe	110
PID 5044 wrote to memory of 2696	5044	chrome.exe	110
PID 5044 wrote to memory of 2696	5044	chrome.exe	110
PID 5044 wrote to memory of 2696	5044	chrome.exe	110
PID 5044 wrote to memory of 2696	5044	chrome.exe	110
PID 5044 wrote to memory of 2696	5044	chrome.exe	110
PID 5044 wrote to memory of 2696	5044	chrome.exe	110
PID 5044 wrote to memory of 2696	5044	chrome.exe	110
PID 5044 wrote to memory of 2696	5044	chrome.exe	110
PID 5044 wrote to memory of 2696	5044	chrome.exe	110
PID 5044 wrote to memory of 2696	5044	chrome.exe	110
PID 5044 wrote to memory of 2696	5044	chrome.exe	110
PID 5044 wrote to memory of 2696	5044	chrome.exe	110
PID 5044 wrote to memory of 2696	5044	chrome.exe	110
PID 5044 wrote to memory of 2696	5044	chrome.exe	110
PID 5044 wrote to memory of 2696	5044	chrome.exe	110
PID 5044 wrote to memory of 2696	5044	chrome.exe	110
PID 5044 wrote to memory of 2696	5044	chrome.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3216
- C:\Users\Admin\AppData\Local\Temp\2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-07-08_452f9931b335e0b7e4b34aa7aa9f37d5_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d0,0x2d4,0x2d8,0x2ac,0x2dc,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff887d1ab58,0x7ff887d1ab68,0x7ff887d1ab78
    3⤵
    PID:1948
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=1936,i,1753239589268627695,13698625933408147303,131072 /prefetch:2
    3⤵
    PID:4656
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1936,i,1753239589268627695,13698625933408147303,131072 /prefetch:8
    3⤵
    PID:2552
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2132 --field-trial-handle=1936,i,1753239589268627695,13698625933408147303,131072 /prefetch:8
    3⤵
    PID:2696
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1936,i,1753239589268627695,13698625933408147303,131072 /prefetch:1
    3⤵
    PID:1968
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3060 --field-trial-handle=1936,i,1753239589268627695,13698625933408147303,131072 /prefetch:1
    3⤵
    PID:3284
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4220 --field-trial-handle=1936,i,1753239589268627695,13698625933408147303,131072 /prefetch:1
    3⤵
    PID:1984
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4684 --field-trial-handle=1936,i,1753239589268627695,13698625933408147303,131072 /prefetch:8
    3⤵
    PID:6056
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4732 --field-trial-handle=1936,i,1753239589268627695,13698625933408147303,131072 /prefetch:8
    3⤵
    PID:5160
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5180
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x7c,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5292
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5412
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x294,0x298,0x29c,0x268,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5488
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4268 --field-trial-handle=1936,i,1753239589268627695,13698625933408147303,131072 /prefetch:8
    3⤵
    PID:5592
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1604 --field-trial-handle=1936,i,1753239589268627695,13698625933408147303,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5476

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2364

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4144

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1008

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3840

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:468

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1140

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3592

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3272

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1460

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1992

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3636

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3240

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1356

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2796

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:712

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1768

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3496

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4036

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4312

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:312
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5788
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:5856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
fb1b39a1c2048b2ed71cf7e6c7263d6e

SHA1
d701e495487e3b40b9eb731ab2063441c47652e1

SHA256
a42f757394aa5f470822d3bc7221dc0ad2be1d62947d1641ae89088491aade08

SHA512
78c08cadb8aa5a4f43d287f5f37ba47f37bc1d19602f382efe4105249b79a18a2a9827d3ddcb6733d9f5e1eb30aa03bc5578dbfcd40648dd9582a55427a23fe2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
0e17b08d7772ac3cbbe24a0a4f429fc0

SHA1
f4e9bcc9a3077399bb13448b31224aa810831b7d

SHA256
60ef15cf3505fef8556b0d08626c58464183f2a6bebfca3515a2ec261c003533

SHA512
f677545aa04b4e0889996518fb3b6632db2624186f96d4a35d7f786fd6d51a16c549e2ecbe6d7068ced492ea495af5165bc9c71d041dc144ba903f36102dbacf

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
7600894102f3ed4fadfe16de5516a101

SHA1
14763d66aeb3e22b34fb4767fa143dcb18a9c4fd

SHA256
12809a5678160dd0532de169c1dd411e3c3432706e21036f8055d3fd7d16c3d8

SHA512
c8ee3aa26a9b910ca515fcdec1e1bfda82e4148e8789eaa6bf8397f381a916cdf238b05bf6b8aba8edcc01dac66632f9d162c3af4c0c0559534c93c02b69ee29

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
40ded67b76469650712e28e9cccff345

SHA1
0bd7d3caff13286375911f841c9040879c8e4230

SHA256
6d5e1abb4fa6add8aa9020e24853de587298645c590cb088865ceb2708359d12

SHA512
11d1375f5270c09edef8e8b21e7f8f93f96e290247f604d5fbc24e8c25aeda89ea750eb781e9ccce2e02fcb966fedfeb201b2f1a364a610cde32cbdd11fdefe2

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
34ade0e575a7a3bba591b521c0519e02

SHA1
4e9a004782ab8738e270b0e130f217635b2cbf21

SHA256
ab1ac890037d51127dd14bc793d805b05abbef3e598d095a7bc4d9c1f64588df

SHA512
8ccd85be8021766d2097148bbfdb5ddba931c0b03c849498c0e0a10eae4198328687df478e0edd4deb274ffff118338c03e8d22810cdc9f6960465e26ac2dc39

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
e47095619fcba23424b545391faa35a6

SHA1
19e91b9caf71ca41d3cbf5f6d68c642b442cac83

SHA256
9094de42332d1a20f9ee6ca36bc6572dc8971e57fd759ea06ef9d572f48f92cd

SHA512
daf384e9a844584aaacb367f3d6775b0d1b970ddee3a4a3bd0e9a1e3bfb267148dd997343ed5c32dc91595eddc573af57760cd9d1e3acdf69e8aa900cae32623

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
874d37dbc54916eea37dd8e1ea763106

SHA1
798aa6284166d3d53db62a144c3cd863f7cd9ee7

SHA256
43d58133e735cae256382fefc8a524326e4155236919593d0492ef07ab8c68d1

SHA512
95f01781123a7217df2c5e21d39ca3eb88050b1d95028dec3ac6a7379e50bbd9f8f095258ad1637fade8853a25db4296dad9410793a38216e230ec300274976d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
99e4ee1dc49b7bf0ffc1d5013eab1f8c

SHA1
7a8585b478bf3fd07637d46309d8132c11eb3ad6

SHA256
62724c9dbb318db2100186e64839e915afd5aff8616d6596dda7de2ef0b5ab66

SHA512
45c36c887927c9b96692794f6e5d6ba89080d6e10deb637efb92b1e7c8af908b9fbc99062ffa830a135bf1682b8565776a9922501ab84d3122fc5bbedb4dc686

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
04c0a1b147f40747ad0870e4c56c9827

SHA1
da064b66d137dd701c90f849ceb965004c68f2f1

SHA256
386f215fb189e7d896da4a5aecaa1c47c58003c67423c04185ec61c1b9260013

SHA512
10edfa022ab909d3be587cd2dfbe30ecbf111e1c406ac04b8ac6cce19fc51cb1f91fe7d8f45b22bde49a7f883756a3b748a090bd661cc4c6ba4a6fb5a2492a7a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
de0bc9b5590c89abb2b180c065fba414

SHA1
a3bf5538946097c06e2a82d0c83147302f257f6d

SHA256
06530dbb6ff1ee5e0168197e636a43a6f06cc8ed7ba66e423de7cc4b281141a9

SHA512
5bbdbd6b35452c01b7991011c945b003383317d958c72f1018672ebe568bfc1e7e28220429e08458f699b8d1510a240bb1baad4b35c72cf00b0744754e9593cc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
83023a3dc93854d4e0aaf4c0206ff482

SHA1
196d59e2ab151b611075eeecdb0be35e26aab8b5

SHA256
0156a61d5c9512c18000b3793adfbc93724a620598f80c6877dd5ca2967bc419

SHA512
b34eaa8e10f3c572c252a4af9d32ddcf6457fb0a1055bf284e57e62c52ac916fe373f301636220c8f5df375673c243dea235879d4ae29398153d0c7480a5de8d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
4214ed388ccd273a3bf228887633b564

SHA1
3e78d3d84fb44f12e62aeea763dabdab3367d17b

SHA256
0008540c77fb2493d67331dda5b77908d00575e33d928cdad27dd4b5ac58a920

SHA512
59e7cb61bbd7246d0a330e34a4343d9dc5eae3d1affecbfa694e49b078d2e6469eb427e548fe8faf78308789c59a559add0a002c5201704a05ecc1bfce77399d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
94b16fb54aa0ea55b4083999beae54f5

SHA1
cbbe54f8e2c65d6d1550f3f84cde7ba97af1cff0

SHA256
03b7c87b78610a1399d197f3bc2d25455ebd6ab4b0e1c71189f6aabce57d86e1

SHA512
1ae9607bbac1a7b12c157a7a44415e602bb9ff55c8f1bda78099f9c169993f2ff3694137d65e9e1e62106a1f57d0c6d5038a76c5ed2bdbff1ca0dddc554c9990

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
b33552296bdbc95a29af4187d95720fb

SHA1
cb89509e9cb68a8588012236212b1f39dee2862c

SHA256
4f311647e4fb435e98d9dbace7584fef97c4e406566cdd828b04ff155f012d23

SHA512
50e7ecc33bd2aaf74f012c731fe570aa79e2b3ff89c8dad65b449125629b8fd3cd280e1bfb478c79199ac0c5d3564c045afaabe0dbc7d6ac5740a56b6e148e39

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
0002f2b079eb30b3d1e844b5f3df28f3

SHA1
245ac2c39543dd5ddacf5502f899934ccbfcb9b1

SHA256
8120612dec1125336bf5f1c7700090cdcb682f4dd2e4496f4d05779051c88a6a

SHA512
473b01bc538a51c8de810661322e9c92b20572b131d4c5aeb23032b08e55678db2603f6f45da542f8a627f5d9fd0b09d1e418947f59745aff49fa2f26d9c9e9f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
80e3e9d966b727aa1abb06b7015abee7

SHA1
95dd5717d40f29e842ca04e0bd4c9c0823c811c8

SHA256
c46a4b62b8190c0f784ec66d35316cd3484b30e60f2fef7f736d2cdafae2303b

SHA512
0cfa63d8d50a225e9f9d2238a2332409f745b1d7b826aa19a5317dfe7bbb3238b16f58b6d92e9e1d341dd4c0b86e8b38608b615ac823d6de26cbe45d658f3101

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
2005a5992cfb8f8a0f77fa606150341a

SHA1
964ebda01e1300ccdfcfcf110cf18f2ea6e9f9eb

SHA256
761111f83110e210c7e4603a9d682ebdfc2ccf1e163547a3273c7f2c870c9947

SHA512
3815fa9b29193108e041655665f6f817105a02e5ef77a22b89bda38e0fcb5eb8e75d5f80e435b6f07515eb6185173fdcd9f1dea9abcb4300f678b07d910c95ca

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
e376f114443ea8b7638b8b9d457c9ced

SHA1
fd2ec14aaef78b26e408834884d67985ec634345

SHA256
f6b2d1cb41a52a0855bb3ef4a7c6013b748b795d942f94c1b343d46b80eaced1

SHA512
824ddecc0cba768eb3867b696c0060a37df4c4a58815304e45ef050b5d625b9d3faa62cbb99a2909ad0de6e740dbd3460baa025d8166a587007d61734e0ec7ae

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\a9e7361c-9a0d-4ca2-a2fa-b94408d7d16c.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
634bdd4116db8de6549a7c7b3e564f9f

SHA1
e46b3d060322f1c9b3bda2010638b878000596ea

SHA256
dd26949a0a751f7cf5188eb91adad4c46fda65d80cbaf701d97df40316c1a5bc

SHA512
5455fabb16045118f2148cce0cd97213d0c532547fe91890c507648682a8f0ae0d4548cd98ecc6cdb511fb82bc2f5905cb7c421143a7552b59f63e8d201cdf60

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
832983132f4bfe4ec69ced3f5fa29bbf

SHA1
7f78352cb48c1eb26a41816df8cd639d76f16f43

SHA256
8716e85abe9e04bb713603b242c8dcc88778f636260396ddf1176c53ae327b4d

SHA512
1ff72f3f2c8f8de9d2c4d6e74250553a180e00c50cbb212b989ec6c96315b39cf5219387744639b9dac0759f40e44a0b99c15c72d04a72f80053e9c76c8cb277

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
91d9cb9d7d7e49f97c0e0ce64d9bc4f0

SHA1
75ba234da4bb135f8b26e3abc3e095dceb3165cf

SHA256
3ae5b0b2172f0236544cdc92940c2699327c60442e7c442d3422b033117b642b

SHA512
e84a20bc87c8e83f7be0fb2d9e9a9b93e235f91d357bfe652e8c932288f505d3d6a5ab60aa8a3d1a69f951835d8330ed11a1b71e2308a5dddfb6af3d1770644a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
bff2552a8302de13d999614db7a17c67

SHA1
5369b0500288ab631e017bf0851f0160fe502c0c

SHA256
32ba8de8e73d588b5b049b366375c936c232af82d94afbf0e34d6e83e3ef9eeb

SHA512
7fd878da51ae791449182918a94ada763939b4e2a67b75fd482a39081d0a29fdd37f09ebe3ce05730367652afc0f5d97659d659cad6fd941a01b4f0006284927

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
0bf49223a81c23a012deb8591d481c61

SHA1
a3431bb5ec482b7b797978eae51700157505d8f7

SHA256
39742c8578f9b4d87ddb7ec62f39b86866a5f294c089404acc8ffb0b320204d1

SHA512
ae61a92f3ba4c05159d3997a99be9307265736940f5bce55d40a9e12e31fced6d21389cb04a2fb3ca9042236bdb54ceeafb3ef8afc81067d479c232af5690bf4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
970cfd9614d1bc2e365633c0431ff646

SHA1
98359570f15f7c8359e082ec28b22e17b17fd106

SHA256
ffd703786e180f6e4ea202bea4d270a8325919ab672b5c474a3adb4109237901

SHA512
5a750c32736d30a1455721c59b5996148282dc3014a72e0ce31b3641239684e259fbac883da42d36b334c1a1c7581f8907f4b9936b7d147d74dfb6620c726429

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57b5f2.TMP

Filesize
2KB

MD5
bd2d5b6ee99d521f8f46f62ddc501325

SHA1
123081c80dd7e3761c1789f04a5cdbe5d2685019

SHA256
adc94d36ba19ae63d8eae52fcf9cbebb21fad0ccd93e5d5a7e32e68adce43798

SHA512
861445e8e756bf21b8b7e686f05e7bba413335229d2b43bb0117e5204494e7ffaabd8486d4e2fa77bdae7f46d2e573b05723619c2a4f1691bf29d61d52ec1ef1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
fe20751e91e1a5fe2fa9f5ac40858e90

SHA1
fe1346009bf60c6117720479c81686a08e703727

SHA256
2b16417af60617891c3cdfdba812687aa16095624530046b48a16447ebda037c

SHA512
b74010d2a0330bbec6c853b437130ec6f7e24ee9d6151dee17f5d7125da4e45c906d074c36ec22c3cc84cbd8e8600f99e77771a524545357f6670c992d8f8173

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
285KB

MD5
ac9f2d239a8efd41cfcbdc68a5b790be

SHA1
69b88d8eba7556cb7458ab645e79f765f5ec086c

SHA256
b9da07ca47aa96e252446c54de6f20a073dd003cf4ad551079ca1a919e05449e

SHA512
d54bc77c5a409cdb678ff07d72cd63fde67e363da28034aff535aeab6006cccc21f381a5c991a70f42c39766a4ac80cb19bb56b5e556ea28bf87ba3d4caa8ce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
c2187a2b41f4f4e6db6fc41582b7deb8

SHA1
e94f8373711803ebb398ba8c1e40dcc1b98c18f4

SHA256
d72e51f3842d16802fc56b97789fbf0e78d4f0d483cfe8ce8a2715e1edab2412

SHA512
7260614b261dcd749a3db35e3b064f0619c4dd0d6bb24f39da633864c5fa1b1b5bd9f3470fa27a95d5435e01148f891bfcf748a4701b3c147771c7d7186e9f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
f2f21e6d01f2f34052d682ab3b693e8f

SHA1
efeb31c6692a55e6eb643fe334e3223794fff78f

SHA256
b74f26bbe839c3ccfb860eac5880651fb39700cd5b72f009ff6adf01969f11a1

SHA512
630f43d6f3f026ac7ff86c3ab52c5bdb885d266d2d86c536845c95c2755c582a37044e2079f4a85885b40fda0a2af6231bbdeef72a3d500a7da62e0d35810221

Download Submit
C:\Users\Admin\AppData\Roaming\4e4a346b92844182.bin

Filesize
12KB

MD5
6dcf48df6c1b2127c0bc3f3a6cfe311c

SHA1
7b71cb4a4f5e43ef0dff8f2dd4d713eb51fb41a2

SHA256
761f4d013a70e288dbd04fdbb63316b952917660b2960d08db0b4feb5fb1bb48

SHA512
11e9d97ef170adb3b7f7624d45d8f4683971f492c5f36bc2b8d4ff3c237aa5dc5c2f9daca89fb5b298b1b0700f0d73d6b7dcd3149e4b986c69523d3bb1e68daa

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
4429dbe6332a780522683a0385cc4075

SHA1
d00fe4e24382ba7940ec59ec3e5f0819086112a0

SHA256
dc9d5a90d22d63444be40d2ecc98975066301f81dbf8cbe45c99fac45a1ff2ae

SHA512
64016d0d61bbe5dd8c66d2d7404fb94a0ad62c4bdd5a3615ea1e3a7515aa24d6ea724d0d225e69154dba4644ad18a38ce7797775a30015066e9d072fb2be2df9

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
510ecf6b04dd210dfa954923e3d5abaa

SHA1
b38a837b468fae09a2cc44b3078c29b9ae9a500e

SHA256
2cab12ea82978ea452fbc471f102b756949bb97e9382e5abeebd99500fa90fcd

SHA512
2d288e2f70e478d496737c658afdfb38fd317cee1bd6efd91c2444d71281969528f83e50d22297fbe1ab2a030e2ce6026d49d244d7dfdf66bf616168ecdb4632

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6d7642bd9185fa1699df383f494de5ae

SHA1
2e07d7af985b7afe598ceb4f9ae5d7fbc712eeec

SHA256
f3601db6047e02057cd2fdafdf377cba9f61f36051f763d5ad37788b2ac5976d

SHA512
95400f4a22d95e2a08112b7fe2127cad63c3ba78a608f3867d57c9e6c59468f33c7f15e879370af00a62dff7cef6865cea3c090f970f3c3899beae158304406e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
f8c8d953da6661ed856d6ca33dfb6146

SHA1
ec1e29ad7a5f899e0b6b94c303b5f8aa87ac27ba

SHA256
5f0e95e939d4b2e0c29469322d665821ab2788062d29365a3b6c927c249a5b96

SHA512
5c51b11c1a2933001de91dcbd5b3d593428a15f59fa1e42904568482ed2f223db8fdc7213c7ca9ada61e49307c7c8e79f78d6fc42af499721d6e308534d26054

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
a8dfd5409ea9d71fc71351ea0096445e

SHA1
f11af89cf4d5a1694f51aec4a1c3ded931860b27

SHA256
99cc8d6fc385bb5db2f75dff5171846a9acc37051e24d481413d64bd5b6e5145

SHA512
6ddab2ca30bba931e64177b36d6184a36ad62422d1cf6531a642c1590967db3b649a8e168891a0d5f2936e91f5f3dc45da5f20994444d91dd880353274b63b27

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
67b038e7ef7ea1fd93f5a85c268ddb7e

SHA1
61808826cc36b80da615ed2b92ccf839aedf0ffa

SHA256
715a5c4018d10bc1c1fceb7a80f980e409b1c2ffeea1ef152891e08a0ead93a9

SHA512
3be5163559113b4e27cb2cb2780a3542f83d2f3ec2da2f1fc2d49b785062b3fd301ddb5549add9e959d21fca73028db529f066d7910da528ac1f284fa9d951c1

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
cf44842fd836612bf02bd1ff370c7632

SHA1
24206a9a6e729c9a9f4e77c71498005ad319bb6e

SHA256
473b75452fdf289e54f7a4015b94b90ac92dc8ca4ce771226ad00cad203dd139

SHA512
8b4f249fc77e591b0fcf409f38cd53425b3b74e83c4b15f20fd0ad2726eef3fa9ff4e67892d9498e0fafa22c326f8d519dd912086ad6f1283f857a02db64f470

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
aee2be543fd4e28b736863ba14abe99b

SHA1
16f1f1c3dcd4c2ba0609f7bfa8cf131c2fae512f

SHA256
9d32967188e7213df31700984d9ee10ce4fa48690cf2a9cad055b670c7f7a8dd

SHA512
d71da4b2e8d59ca3fac733698b41a7cd4934710cbb920f826e11cd81899b33a9f3f47ac9c392b32b166d7b6044e2921a013f9c51d633d117be437ef9250575ee

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
3d362f158502a11868e1c92dfd198e61

SHA1
246dd31c50ed4a4e3350b9d53899963e61a00506

SHA256
304faf81e66dfe234732ebff6659b6a4fdc82fb083fb8a0e7a7ded9b886b261d

SHA512
7676f059b57311ef19fc243de11cd043a653f83ec094296e4869a8a89801d9b52d913332d6050ba778a3b48bf396cf2c75fdb6987a0b7502df5be6df22a67ec8

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
5b18b77ff22b75c16fb16666cd3bde2a

SHA1
1b076a755d1b1a3fbda533c9e81d1d0bf9f6cd09

SHA256
c69df4bdd8f31d54c7e2782770ca2d40cd545d74e9d269c275b5975150034e9a

SHA512
1c946e7b77ad028141a4aeb18df333d7dce93ed5405f8c5d62ab50fa0547e21e8acfaa63750e53e8dade0d585656afb950fb534c25bf25ec4e535d7c57745c01

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
44337fb3ff1237436890b6d45f983b9d

SHA1
b5321e2c85138c8bb6ea4ed219af8ed88df99288

SHA256
e2e0acac880c0f8bd6bc59b2e61ec986585c35b7d98ea22687082dbd21c5634c

SHA512
cf937bb281786293cbce96d9888131ad3f1380fb5326b38de4f99a07f466a827aed994e3436b2559298f9d36a162af750e556638c2cc24b7b9509df6ff2fb80b

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
cc51500d38e11858cd51d3d04ff86b4e

SHA1
cf062707b9ef815139dedda5dc14b9bfd294846f

SHA256
c57b4329d3a1fda1c53eb3c1de76f03294c0403b6cece98c3c4b5585a040b7d3

SHA512
1014508f95689fe4353ca2e560ea6cb82fe1adfc533cb7c93b6c7b4565e45f27b9eda82471e70b78a30a2d83fb67aed834e0fd873156d66bca16ecd0f7ea3e83

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
db73e9ddca15ce74d7ead966ee731695

SHA1
5373e4ea3838671b484a673d12068fac124d4560

SHA256
b85be5652fbecfe297c48598e27adb5872411ea4d4896ddd4c61f35ce8f453f7

SHA512
a237bcfe3ab890c3ec4a8b1252ad0088d1e51b441df4434736a715162f8761292e0ca5dafa7094c1facafe29d324441f3151242e5207366a08b22b3eaeba22d7

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
b9a6ac402c02d4e00b3a9584f25267e8

SHA1
936f0236a5ff17fb9ffe5525cd966e322355ede8

SHA256
8083798d045f9dd0f14b423b8021e0a5d37e1b61a55e3a2f7a48bb4e6db337c6

SHA512
d84dc6fa52a8d4d5df6c0fc90dd74934281cd2a35d8617718d4031aef063134991e8ceb73d0aec968064b31c31f901a08f809601fb1a86dbd362f80780da982f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
1f457ecf6cf23ed3ec1896deb058a1f8

SHA1
c2860290bf94c1df1395dc038e037955c48b96b2

SHA256
a376c69cf6bde309910f0bb7d2dd82f701584fe8453fa72bcb7c08e2fd99be5a

SHA512
b55c1ee5abedc0d2822989ab9b2ee05249ea0674ff01324e2bb38f47aef3bff7a8446e04851c253ed6a7c23df935676038367088721ba605eb12d3f43a79a581

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
94d4a87468eb2c4405ea029d8632955a

SHA1
b8ed9c58d39baf539ab90319be966c88fabd5db4

SHA256
a1b451ad225c004f4d6406613ee8bb0353f16862c0e08d451f153fd71f415322

SHA512
5e4edb6c2a7b81f9d7f0f05b0a476831be8391ff63315bed6715e891a5e59e7ad1d53b0c4bf550f6f3f04a8822b958c4dea12063a6023b4d7a97f746fee482e0

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5bfd764b83d14993f21849e5a1c85bbb

SHA1
b157e8925f01ffb1765fcf903b95c92f831b57f5

SHA256
b4ab884c0ed8d1baafb20612a1dc5a91cdcf38666af2876a754262916f6bc749

SHA512
b372cffdece67ea796d660cda8b0e7cf4fac7a3c12a35f448b33146eba8d125f21c8354d5b847018f685982008bf855e56f96a9832ff9b24bcfa4fb239b8d1d1

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
22a8a5cc08231cacb08b6ffe4798fcae

SHA1
6bc84eaecf6dab1cc148255bce14a6f15370a48b

SHA256
40dc05ae540fc4fac8a4000f827379351273062ba5e8262339ce03a77d8c0c59

SHA512
05ec5de09a090dbad7a1b410d76e1c64a245a46bce8df14a0641f1cdd9ec74a22ec06380b3b0788eac4859f847fa9bf57382c0c5586a49ec7c870501695f8d81

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
2581e5826d2df25af53ecc83ee1f0481

SHA1
b65fdf5a6faceb79eb165c5462fe1e13258cb2b6

SHA256
4b7332c5d22c70176de99e513c078bb3244ebe1ac912b1628e3968037c25d8ad

SHA512
9b443d8d764cddb57d50c1d73cd878d16583fbc043bcf156443454b17d7c3d58c4d31b2980fbe4d9bbe0b0779a550ffd07ac57b5d9eeb285d30d33a7ac6e95fb

Download Submit
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
404c359cadf63d25087c3d64bd593ef9

SHA1
071c551863db0b00cdab46da25a019928bc55570

SHA256
910b99812f00650be9be892406cc6bba224d95791e774b5439348f89076b4f74

SHA512
00aed424d762102d6e0f5197f9ab3391563085558a3d93c54368c3cdeaf2743c1a2f3d86f0211895a80466422b59e094e84d264f9360520a9d55114b5ec0c675

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
fbfbefd520210654e3a0ab28d1ae1577

SHA1
fc6ecb712d14665b959ab0439f9a9d34a6f8cba3

SHA256
258558f8a045077a99176394c2f009745534f6318ee291621115cfb05550f737

SHA512
91e8d1f52b260687ceabb6d765bac6bdcd1bc28f8401915a3a3040da8fedcbd282f744b775baad232705a1485b8d764715f5c4b8392f6797697da285f5997d4f

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
c025f503333fcf7cddde50c46b958a33

SHA1
7fa5bb288d2c17591e64e622f9de3c871a10865c

SHA256
95115585004e9d9b1c26aaa12acdca505d3c61a925211c5021f94369d24521dc

SHA512
7db67af5bcdbfd6cd7a82b014cd9bcf8864ba4d13c07d2370935e64e56748758eee8847053492ce533d099557d60def82733d849abf9245a390c7af429948313

Download Submit
memory/312-301-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/312-705-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/468-85-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/468-98-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/468-96-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/468-91-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/468-94-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/712-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1000-273-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1000-18-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1000-12-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1000-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1008-279-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1008-66-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1008-60-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1008-68-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1140-100-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/1140-217-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1356-613-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1356-224-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1460-220-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1768-252-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1992-221-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3216-9-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/3216-42-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3216-36-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/3216-0-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/3216-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3240-223-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3272-219-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3496-693-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3496-253-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3592-218-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3636-222-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3636-589-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3840-80-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3840-74-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3840-82-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3840-539-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4036-275-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4036-699-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4144-49-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4144-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4144-55-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4144-72-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4144-70-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4312-290-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4312-704-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4324-225-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4776-32-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4776-31-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4776-496-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4776-22-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/5092-226-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5180-526-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5180-579-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5292-528-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5292-708-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5412-542-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5412-566-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5488-554-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5488-709-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download