d7d6445112ff378b5a8c373ee12079b77c7a555be5c16bb98160bf42a4b21c4a

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2024 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
Size

4.6MB
MD5

18520c0e1d420cebcd943d1015b53117
SHA1

4f38e51505966fade8d9215f097c338f38875fe6
SHA256

d7d6445112ff378b5a8c373ee12079b77c7a555be5c16bb98160bf42a4b21c4a
SHA512

4d2a968d43ea8f27f0266dd01fb49d119fa1750ea7defb62055c1a4e89f11678416da63a3166e59c2eedb99c8c24e54c6d06a21f0d9fe00be53584eecdb6b89f
SSDEEP

49152:9ndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGb:Z2D8siFIIm3Gob5iEt1Ms

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
4580	alg.exe
2920	DiagnosticsHub.StandardCollector.Service.exe
4504	fxssvc.exe
4132	elevation_service.exe
3568	elevation_service.exe
3492	maintenanceservice.exe
536	msdtc.exe
3412	OSE.EXE
4112	PerceptionSimulationService.exe
2732	perfhost.exe
3132	locator.exe
1292	SensorDataService.exe
1016	snmptrap.exe
464	spectrum.exe
4328	ssh-agent.exe
2444	TieringEngineService.exe
4928	AgentService.exe
1216	vds.exe
5116	vssvc.exe
4452	wbengine.exe
2956	WmiApSrv.exe
2636	SearchIndexer.exe
6108	chrmstp.exe
5240	chrmstp.exe
5436	chrmstp.exe
5244	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b6db56c016be280c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_94843\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001983507518d2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f860467618d2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e6a62d7718d2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b25f2c7618d2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000010d95b7618d2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
4252	chrome.exe
4252	chrome.exe
4652	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
4652	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
4652	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
4652	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
4652	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
4652	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
4652	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
4652	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
4652	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
4652	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
4652	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
4652	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
4652	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
4652	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
4652	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
4652	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
4652	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
4652	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
4652	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
4652	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
4652	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
4652	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
4652	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
4652	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
4652	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
4652	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
4652	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
4652	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
4652	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
4652	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
4652	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
4652	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
4652	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
4652	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
4652	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
2920	DiagnosticsHub.StandardCollector.Service.exe
2920	DiagnosticsHub.StandardCollector.Service.exe
2920	DiagnosticsHub.StandardCollector.Service.exe
2920	DiagnosticsHub.StandardCollector.Service.exe
2920	DiagnosticsHub.StandardCollector.Service.exe
2920	DiagnosticsHub.StandardCollector.Service.exe
2920	DiagnosticsHub.StandardCollector.Service.exe
4688	chrome.exe
4688	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3508	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
Token: SeTakeOwnershipPrivilege	4652	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
Token: SeAuditPrivilege	4504	fxssvc.exe
Token: SeRestorePrivilege	2444	TieringEngineService.exe
Token: SeManageVolumePrivilege	2444	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4928	AgentService.exe
Token: SeBackupPrivilege	5116	vssvc.exe
Token: SeRestorePrivilege	5116	vssvc.exe
Token: SeAuditPrivilege	5116	vssvc.exe
Token: SeBackupPrivilege	4452	wbengine.exe
Token: SeRestorePrivilege	4452	wbengine.exe
Token: SeSecurityPrivilege	4452	wbengine.exe
Token: 33	2636	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2636	SearchIndexer.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe
Token: SeShutdownPrivilege	4252	chrome.exe
Token: SeCreatePagefilePrivilege	4252	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4252	chrome.exe
4252	chrome.exe
4252	chrome.exe
5436	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 4652	3508	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe	82
PID 3508 wrote to memory of 4652	3508	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe	82
PID 3508 wrote to memory of 4252	3508	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe	84
PID 3508 wrote to memory of 4252	3508	2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe	84
PID 4252 wrote to memory of 3020	4252	chrome.exe	85
PID 4252 wrote to memory of 3020	4252	chrome.exe	85
PID 4252 wrote to memory of 1164	4252	chrome.exe	112
PID 4252 wrote to memory of 1164	4252	chrome.exe	112
PID 4252 wrote to memory of 1164	4252	chrome.exe	112
PID 4252 wrote to memory of 1164	4252	chrome.exe	112
PID 4252 wrote to memory of 1164	4252	chrome.exe	112
PID 4252 wrote to memory of 1164	4252	chrome.exe	112
PID 4252 wrote to memory of 1164	4252	chrome.exe	112
PID 4252 wrote to memory of 1164	4252	chrome.exe	112
PID 4252 wrote to memory of 1164	4252	chrome.exe	112
PID 4252 wrote to memory of 1164	4252	chrome.exe	112
PID 4252 wrote to memory of 1164	4252	chrome.exe	112
PID 4252 wrote to memory of 1164	4252	chrome.exe	112
PID 4252 wrote to memory of 1164	4252	chrome.exe	112
PID 4252 wrote to memory of 1164	4252	chrome.exe	112
PID 4252 wrote to memory of 1164	4252	chrome.exe	112
PID 4252 wrote to memory of 1164	4252	chrome.exe	112
PID 4252 wrote to memory of 1164	4252	chrome.exe	112
PID 4252 wrote to memory of 1164	4252	chrome.exe	112
PID 4252 wrote to memory of 1164	4252	chrome.exe	112
PID 4252 wrote to memory of 1164	4252	chrome.exe	112
PID 4252 wrote to memory of 1164	4252	chrome.exe	112
PID 4252 wrote to memory of 1164	4252	chrome.exe	112
PID 4252 wrote to memory of 1164	4252	chrome.exe	112
PID 4252 wrote to memory of 1164	4252	chrome.exe	112
PID 4252 wrote to memory of 1164	4252	chrome.exe	112
PID 4252 wrote to memory of 1164	4252	chrome.exe	112
PID 4252 wrote to memory of 1164	4252	chrome.exe	112
PID 4252 wrote to memory of 1164	4252	chrome.exe	112
PID 4252 wrote to memory of 1164	4252	chrome.exe	112
PID 4252 wrote to memory of 1164	4252	chrome.exe	112
PID 4252 wrote to memory of 1164	4252	chrome.exe	112
PID 4252 wrote to memory of 4700	4252	chrome.exe	113
PID 4252 wrote to memory of 4700	4252	chrome.exe	113
PID 4252 wrote to memory of 4532	4252	chrome.exe	114
PID 4252 wrote to memory of 4532	4252	chrome.exe	114
PID 4252 wrote to memory of 4532	4252	chrome.exe	114
PID 4252 wrote to memory of 4532	4252	chrome.exe	114
PID 4252 wrote to memory of 4532	4252	chrome.exe	114
PID 4252 wrote to memory of 4532	4252	chrome.exe	114
PID 4252 wrote to memory of 4532	4252	chrome.exe	114
PID 4252 wrote to memory of 4532	4252	chrome.exe	114
PID 4252 wrote to memory of 4532	4252	chrome.exe	114
PID 4252 wrote to memory of 4532	4252	chrome.exe	114
PID 4252 wrote to memory of 4532	4252	chrome.exe	114
PID 4252 wrote to memory of 4532	4252	chrome.exe	114
PID 4252 wrote to memory of 4532	4252	chrome.exe	114
PID 4252 wrote to memory of 4532	4252	chrome.exe	114
PID 4252 wrote to memory of 4532	4252	chrome.exe	114
PID 4252 wrote to memory of 4532	4252	chrome.exe	114
PID 4252 wrote to memory of 4532	4252	chrome.exe	114
PID 4252 wrote to memory of 4532	4252	chrome.exe	114
PID 4252 wrote to memory of 4532	4252	chrome.exe	114
PID 4252 wrote to memory of 4532	4252	chrome.exe	114
PID 4252 wrote to memory of 4532	4252	chrome.exe	114
PID 4252 wrote to memory of 4532	4252	chrome.exe	114
PID 4252 wrote to memory of 4532	4252	chrome.exe	114
PID 4252 wrote to memory of 4532	4252	chrome.exe	114
PID 4252 wrote to memory of 4532	4252	chrome.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Users\Admin\AppData\Local\Temp\2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-07-09_18520c0e1d420cebcd943d1015b53117_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2c0,0x2c4,0x2c8,0x294,0x2cc,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4252
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd8eacab58,0x7ffd8eacab68,0x7ffd8eacab78
    3⤵
    PID:3020
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1908,i,6219302511098110201,8329193586659522667,131072 /prefetch:2
    3⤵
    PID:1164
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1908,i,6219302511098110201,8329193586659522667,131072 /prefetch:8
    3⤵
    PID:4700
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2156 --field-trial-handle=1908,i,6219302511098110201,8329193586659522667,131072 /prefetch:8
    3⤵
    PID:4532
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1908,i,6219302511098110201,8329193586659522667,131072 /prefetch:1
    3⤵
    PID:3004
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1908,i,6219302511098110201,8329193586659522667,131072 /prefetch:1
    3⤵
    PID:3388
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4328 --field-trial-handle=1908,i,6219302511098110201,8329193586659522667,131072 /prefetch:1
    3⤵
    PID:1660
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4660 --field-trial-handle=1908,i,6219302511098110201,8329193586659522667,131072 /prefetch:8
    3⤵
    PID:5916
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 --field-trial-handle=1908,i,6219302511098110201,8329193586659522667,131072 /prefetch:8
    3⤵
    PID:5972
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:6108
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5240
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5436
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5244
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4664 --field-trial-handle=1908,i,6219302511098110201,8329193586659522667,131072 /prefetch:8
    3⤵
    PID:6116
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2280 --field-trial-handle=1908,i,6219302511098110201,8329193586659522667,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4688

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4580

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2692

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4504

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4132

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3568

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3492

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:536

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3412

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4112

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2732

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3132

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1292

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1016

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:464

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:988

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2444

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1216

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2956

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2636
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5684
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c0881b560b5dd98631835215843b8b8c

SHA1
ce9f54cb8935807da1fe5e4cf2d5b08815bf1f0c

SHA256
3b0cec704190d26ce566e8c11f2277c3f03d8f13ae3bb5a854b7bddc62e46480

SHA512
d581af61d8e528cf0b35c8b9dafe72ae076f2839b0403e60cfc7cb7358ef802442181b50a050c49f94b160b16e0817e82f79cff1b2fb9c1f190875e70a860f0c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
f1d75864bf3f6573cd82cbd2fc1972c1

SHA1
51ee445556f2ddf6ad248710431b98f92755302c

SHA256
542b2ddc40a7e9894447f57314b197984d88d75d3f5c2b64ea9a16b0e1d9ea38

SHA512
45a0acfdad4e37041277b33ed8e41a8284483c475f03bd0984afb5a10c919a61f72e9765c0578aa900a93deb08910533793a2b31a61abe97bded78f3b5e3582d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
1df9c18accf5dba16e90f570d039747c

SHA1
1dcb18113e4b24427d340b7d01dc75178bf833cf

SHA256
96db576a660250ef8571bf4aaee18775a14d2433555e30c6eb9b035820910f98

SHA512
c788cbe23e9df0d2eeb945eed029e0981c1c77a4ce09a1f05d4dc51addf7e5099b8ecd418fe3ecb93a169ad01afbbec5836d236bc91896c8c084f4fc692734f6

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
085153f41fe2a6d89f29d2d47dab6154

SHA1
c77295dd8a08d4592e42b46811988a2cd13e3799

SHA256
d49ebffb1cb05b133f3b48a62adb6cee8c6d93fe1bbf832aabaa4382d69268e1

SHA512
6056d523a2267622601c2bdd5d190d6349cf69e74180616d1159e0dfb96e93721b1ac2cfcf2fcc4183a971c4ba1270dd8ca340e498e837e8d6d1127ac4b5e9d5

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
f767f747f183424563c71bb87cba295b

SHA1
c248d955d6c02c617d644efebf3ae9574dab9b12

SHA256
f86e0d806f9032c1cf3c3da8e3890f246132c04eb78d2d6e630cc94c5e4ac37c

SHA512
eb5437527b78d65f99dfaef3b55787b86ed218c2cdd81da8bd98183f6207ae1a617c1b7cd12b0edf4cd87ba64bd24913030da40e6dbb2a7f8462ab61b925bdaa

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
0fdde6e686a48a247045c30633aa5ae5

SHA1
c3d1dd64f07404b62c5bd7dbaf369a9479b883a3

SHA256
fe4824b719b9bf1bec71a0e42fed6c79920398437f256c5bfbc34c109679e2df

SHA512
01821dae00c71192e77d4c7835f59924952965e29eafef51486130da07f8bd86a32421cb3941ebe21446ce54d31bb4d2ebe904d49eed8ae2fcbd931d9886b0d3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.3MB

MD5
eee7646d8c36116d5519310115fb5399

SHA1
4447c8ac91b46ab679d6e3d2824a401e39925c6d

SHA256
f6eca7d8ee990a33882786ed02b9413671058e3b8392deee1928b3715cc8e057

SHA512
f065a7772591443a6b015c34f38a2e59533e6d606e132c3cdb8f4211844ff93182d6c580cba242203d6f1fb2c15d1018a816804e5719b9a6ac442ca231932179

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
209054f9068caac7186966aae6d6bb4e

SHA1
aca2a492444ddf615090614029fb45db451e320c

SHA256
c299b815139a74960001ee0436c2aa9a059269fc4a002e01c6147302a9e71cf8

SHA512
9d086edae589283e38e4198c1769021f6b996ab35250605fd653edea74e9b5a41988629599b8261ca662abaae89e69a62c6f82f0af9bbc5dc386fcbd2782c440

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.4MB

MD5
1fab2cdbf2a71972ccb4d057485fd3a2

SHA1
765c12191351f6dc5578d2ca5beea0894b10a41b

SHA256
76f535f19ce44e6c572e516ce169433340544088d586a51a90a5b90534a5e349

SHA512
82b53c2c0b52c06724b0077da2043db55607fd2dfc11e0babf8a2eb1eabcb46a7772c6f4637c8a6f9413088af80e23c21bd878bb5df0011eedbc9066732b7772

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
22d8c823a87ac5d930751a68cebedaf8

SHA1
d41f2e6cbe827bb224f25d033081a7edb6990bb0

SHA256
bd69cae4368907f64c64528d07fcd7ad2c6305d7941cef985b72ca67aab8fa30

SHA512
788249854e88a6c0b5dff404b0b2c07bdbb98db69c3511d7c4fc638f1529ebdbf3bfdc14c534920459cdb38e5be0c6237d8b8b64e2b3b55ab15d1d81a6872f8d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f44926c846a06c71c47cec261f2b70be

SHA1
22851d51bfa4c8c03474f94676457189a945f16a

SHA256
f2caa3df3f7b040f6a415343399c52ee7a80c8faad4ab90c651f351af0ee7da2

SHA512
f0c341b7babb4dbf4ce4e3998001b40bbbe570502967cb4962c30029bb75ce3a5b743cc3ec0976e4dd648370d47fcf60256877730f0cd569ad58df44ee10a398

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
4760a7adb6a33b5dd029c6fc3e8164bf

SHA1
b64d60aa00711825c1963b0aaba5d2f449b59a07

SHA256
5c24532918d40b7704b2c09d559e15bbef0e3f88e747f82f16b924fd122e8274

SHA512
1873c36870f36463a811cc404eac505ad556e5ed4d96107d2b1d1aaa9579826b52dbedd152ea1ecaf651c19534eeb2c3d386527494662fd4d578cddd72231b45

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
20843481e1a7fef0734f03d671b1be22

SHA1
11f5b710eb206b19bffb356ce69741dfbdde0e3b

SHA256
3dcbc14dd354e1e572ba554ffcc3e9c177a070ef0502fd825ef6c3289d1c4e38

SHA512
4c16c96bd5e32713bbeeb672b0b99735ef3f14eeb5082df462de887f64d1eea0e0b2c364b670dd9b259dacaf148ee9a1e01d3a7dde2a31ca51898130d60c121a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.1MB

MD5
28079f54a1feb46fdb154011d25ee1f2

SHA1
e5ab45ef95ed97b0c9cd23cd1cc9becf3e4958ee

SHA256
5bff5a9a12cbf3bae978d40f9384be7e6cc89e528465d123f1eab4b47d26531b

SHA512
803c3c02ec75a19b8916ff792e6507d8f1c94d94e65fc23c398ccdd6be89183ba2424749ac94d870194ae654f1dbc074d177e828590281f2572be20998da2738

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
c10aa0f6a3f0280471b9dd6ffd0927e4

SHA1
9a77ae3ebc24ad282ed6b84e289b788e3d03bfad

SHA256
32f0e5a2efde6b5e46278c3ec51c52fb7cdbc42a55609c27f1fba247c4412e33

SHA512
0dd43450993aef8a654299d033d06cde64810f0b2b7cbf96aa427f9f309b363198ca5a79dbd111640a80bb75cbfba3ec8653c4b960ff9d919cca978c71f4dc8a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
44756239ae9d88008b92e8f1e6531585

SHA1
32e4271fbcbb8dbd9117013d34af74a5e8efc668

SHA256
e723d79d25788abeb9771f2f5bb765c3929390ad7796d34b5ea2c5492e2dc2fe

SHA512
a71c97c77f393a50247df8f477bb3ed4a62db83263a1b9d163a75e6e8c2cdaf6b44f3dc4326708304bd37f79ac1e85232ca5804653540779c8ed6de3ff0039c7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
b6805453def2cebf3b1e67316dc2d361

SHA1
2a6cdaf698243e0b06ac68d178af2369a8520275

SHA256
22e3395dcef251b98101eea64f976bd2eee4cd957173d141bee5fee7c05a63cd

SHA512
199f259b1818d30f6a7079ef38937e59bb840469ed80ebf810bb95396772b176a1caf8e7cd60a4a82b0a014c04e78cc8720aaeb7ed9859c5cf271be9775b69d6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
d733611d8944956c465731fa14ebd88e

SHA1
314ac4c91c95962e064893fcfb82419e2ba5b6d1

SHA256
6c66b7237e0180cd62b5617f1584c34f45741389f80d5001016111691a6177aa

SHA512
885aaed929bbc023ebd4dca3be32f96eac8ba4c233bad0c0df1394f954a256e1d9365a46c82680a0e46ec53567e809c1179e8ab0d3bf4ba19a3427185fe9bc36

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\8da1f67e-2743-4e3a-ba9c-fd6abb919ecd.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
ebb84921fa5b59ad53b8ef80248f6807

SHA1
cf350ffa191b7bc6a5cd97e4a89cc8c606a8aac4

SHA256
bfad14aa6893a9aac308c16e1689f58467930c38c08c4a9fb01e1fdf67ad3711

SHA512
5b4b1cb70346d98c3cfc89f01380144413993b6bd4f483014af848504980f0f90cd22170d7f69fc2a57f8012a0dd14a72d1bd08f489e9215fe98c1099928bd22

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.2MB

MD5
7d0020a1145a0c8e72b925fe1e89ddb0

SHA1
465141b269942e683801fcaf96c52a6f5d47d933

SHA256
30e39597320174a29b780bd3387e1e047fb1253348101dff30c6466bf6fd6413

SHA512
f793411327d1d12aa2059c275f665eea43b82901ae0142ee82eafa25264477c8df21f046c398f642a9b6f9693a05cc3579a2553feaf1da9625ef5eaa04f26dc3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
d4ff3603ae1515f18f286a39197cea53

SHA1
93cc9863a19d881501cc056f7d8ea709a8efe4a9

SHA256
26e8881dd0ec0b294ee2bc487c7205ac460f7d85c3d9944337c2d3762ab32d7a

SHA512
cf8f42798e6aff6952cbc49bfc928179d88035c9c29d52149ec918d4393bdfa94450dc7134bcef5e32bf5878098584e1da0dbb60432352c5c13c1f2dbbe4c4cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\8859dab5-4512-4948-ba1b-6611fc701efc.tmp

Filesize
16KB

MD5
c62e69a317394017ccb9a6d1d3d98c16

SHA1
989421093caae7e5d2c17717dc2fd186d40902df

SHA256
b619bcb5013b1c0dc876b0167c9517fdd4d8e3d7015fb954254235f2facd4d19

SHA512
5dcb09f2de2f26909d6d042040ef00bc6207ad619f68dcf42987bec5c9544fa938f723aa33d74526f267a9e9104053508a715835f2632e4af90413c258d18860

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9247e12e7057cc5d9cd39b84c9700ab9

SHA1
86e65ac19a4fa0c5456034e0890a5c122a08858c

SHA256
54b242df9d953b4fcc27354999834f341286950e39637efa1772a40389e67b7d

SHA512
4e6517d1fd7cd0764bcdbe64f3b129f8d0cebb17178d433b742c59929327dd76c0a1141034f4b8ea14acb46152f82733d9130262c3602e56b3d86abdd92659e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
bad4e278ab4a8c5b121dd4dd56f5fb9a

SHA1
34a317c7890fcba47d0c31d1b8e6ec74fe39c062

SHA256
026eacc2cac48b4507b2aaa2f2e5b6e8da76c9613ebc819554c4fcfe140f0675

SHA512
b10647dd75ed9b44dc1242fa0d833fcc314d80285a27e282bdcc096eebf4dfeb59c4c52fc96c4aea6110ac6a93ac3ec8b8275a414e8b166c2cd982af1dfc3295

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\c2368742-4378-40f6-8f2c-7f852562157f.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
2KB

MD5
d73ee0d91fd993496be9981774c0408d

SHA1
3e91db4c2ef1724cb817a730d9417b70c59ebb55

SHA256
66fa38ae14692d8a7186dd9553aa4a2db6d1e2cc0eba36fee7b47d3e539b32c0

SHA512
ab05c26b8d535a73a54a75a5326491937d7ab43563c9f997dfcc031fafa6f0e484ea2719211f66ea9090ca4941a126287c593b5f8a5f22926c9e3e2317d31317

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
62acc678911e1904be63bf0835fa2f26

SHA1
00c0983cfec5c1420195bc088ad51ba39216eff6

SHA256
bd67d818a97b79320ab5ed0192c27384708de22968fcc87f97302ef8cdd30423

SHA512
c11b07e81177b747bddb1f2821690a69fa68e930a1777f7d8e88ff75dbb278d10a23f7bf5971f806c7a1f9bba0536e8cc6b8254716f65edef4a3d6c141f9ee1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
284KB

MD5
658654175a6361946a9dfbd346a6e335

SHA1
312be702e881028fa6bb9a6112c76b90cad0f221

SHA256
4ceb91fc1338cf228a592b37439e6c22f51123fdc7238a6e6377dabb127eec1d

SHA512
0faccee078bcd137b82b03b75579a8d1cc39b0727d0710b24f3cacdc14c222064ffffeec1aea67f5b4f397fa9431ba608afffbd2a03e995b7c5a0e9f658b34a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
2d0241a876d78c75d23ec03414dec448

SHA1
ef305ad53b4cdc1c81bfd4f3e3754d5fcc532da7

SHA256
6dc47f08cc5223b672f1f6dec51e377cd400c0be1d6bfc4ff1bd0b4251a8261e

SHA512
987906d0aa47fdf39269dfda5056490fd1ef139363b70382ce1c784c92caf0820a94777a354b5e8db9cc215c4855daf2c6b46532d1591f0ba59c46f5aef700f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
6e3a57d1860c9c20ee22e3f639a7444b

SHA1
d75c519d0436c607c7f86185ae916510fac52c10

SHA256
fc08557ffde62a7f95e17bb1fe73ef8cd62d32ac2b98661cead22af849985201

SHA512
3c4c76a838996a8cc86e2ad3742c2695efb8f341dd49199af91fa232690c30673c1cc862f1d5e10fc0754b203060755ed07080373a2b92a9ac13593dfef5be01

Download Submit
C:\Users\Admin\AppData\Roaming\b6db56c016be280c.bin

Filesize
12KB

MD5
f4aef75473f6a2b00ed20b40b0718ebc

SHA1
55f38f9c20a77a8bf47f9867eb7d488a2786da02

SHA256
1cfa557bfef3096b03ac061f35a28edb57c4fbb73e6bc252a718c8b75ccb684d

SHA512
fdc9f09465fabaef1de8b141d732ab11b85b4939b6182acc81af8acb235e06a749259b094f7f9f19abd776ca68e714303df6e4d30d4a6b274faf35d505903d5b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
e06335fdacec7159567838f8bf533983

SHA1
1a6c68e36f8d3e502eceee4f150cc52ed38022e2

SHA256
80029baca9977dc3ff7b2d73cd510b97dd8059a64dbaeed0717766e3df10ace2

SHA512
34ef2fd4c8aca3ef7c53764ded0244e2e7fa36ac1a24721fb36a6ec90d58af25fd311ba09b0cc8e8d09e4a01e723a957320ca6344d8370c17dafd293b66bd469

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ce6d6336cab4fdccfc850be504400a79

SHA1
50a2b044915ac5687df91bf2cee55a2d6c68e479

SHA256
0d28d0fc22e6f5678ec60803ad5d29f7a9a1056ebcb965446ab5c2a0a1f41fea

SHA512
ca128832b4ae6cf6f683042342b8d7c947e31b1b6db606ae050f9b1bbb6e0a97add09dec487011552b64e8a18665882dd8e20113ec4ea0c02f48ac14541f5dad

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.1MB

MD5
208adf2fdba7c37bfde4f979920d98ea

SHA1
8a6299dc9ba7eefb0715df35f2a9c72814944e4a

SHA256
c1f978be01b71b4418026002dd5affb35a944bf99080788c6cf1b02bc371ae5d

SHA512
9399be23667f4ce8594c982f70a4c98777d1627aa3db51e81b16536de95c1b268293d19e2755b0f216fcfbd725b1ed283c6b43d88c8dfc4a3d7e71a3e2408ab5

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f524ac23be50e239981a8c4dcee549bd

SHA1
7ec4d2107a8eb65b13d4d1f3fcf1ba4e49871899

SHA256
59a3b599dd19ff4452c3a107b79baec7d70a5b673bea058b687cfa978549532c

SHA512
6771770c737499b805b313419e8fbe9fb0844f4d68f8167b98b5a88eccdccbfe72bb60b65df7bc24d0b6671fbbf0f28da3f3a9c522b0767c01aafb93a42c6820

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
fc9ff1bac9150ed826a2b82da341fe7e

SHA1
007978983a97373d4bd4f51e521826dd5a368a5c

SHA256
2999f2455504f906d529bac43da5314435d949649b80aab1e40d9d22d6fbae63

SHA512
bbcfd2a67669e89547506f638aefbeb904ed2333f04d5268cb2999f0e26d0c5619860cb8a3e64e77f7b6b7c912e25f8b94a5fd0276c0731ba5412af9ec13ddad

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.4MB

MD5
63ab1ecd15a76b60f65013411eeaa70d

SHA1
f4d227309fd0bd29cce623448fe3edfc819b818b

SHA256
5e84c5bd055805e896dbde60b8a819a827533eb26fe442fbe21f3ca139f15f2b

SHA512
1e2187ae3f8835da1d93be335e308ac426248b82f803f5952e137a583373c6415b2cd705489688d2f82ebd761f59b9ab8af4c737bbb92b7b1fafa1f54d119690

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
05412589adcac7c5efd79d42756955c2

SHA1
9e8cdd8fd968313494c92075257c0ee18cc5a2ae

SHA256
60f4eddbc9da6b7815054f678c6eb9821ff6251483375440826f4929333a1b2a

SHA512
110b400c1cac8f97e2cbe89bfaa37b75667656329661ec6026c16436709edeec88b9bdf1725908bcf7f355f741819d3bccd3fb989c6a5b413a586f9dc87887a3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
86bee6f2375a8c474fc15d74450a6f11

SHA1
1fcba89f064243f873631c497d3c680d0c591f69

SHA256
0b288a02f897777842532a6b09fbd77d1ef89b0f84d89d6fc98624954dd6f392

SHA512
8a15031da1ce656673d6af32bc7d00f82a360820a20a62074ee86b1535bdfd1cc25dbaad281fea8b37600803e9a2dd3338898ec5b7e147e58ab2da9ff59935fc

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
dc4177aebfcc0a0ec4ada1d8691434b8

SHA1
15a282e665c2c1fdc908460c6b8d475bf8529575

SHA256
4ed2320563739a90b0c900df916a546f8ec26b807f72ff40986acff094a3bc80

SHA512
dceb76a0669deb4cb317cf5c5d6edc9537b28a4109dc7d28e80e6aa7d3bfbeb3ed95e75215e4316b1bd5548d95d8fef0ca99c1963ba33bed507926f13546cabd

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8e738b84d4993f67ee6b8877a39d3731

SHA1
36e702873f8a1993a52cdb7cf59cce2b384c516e

SHA256
7ba375628b36ff1cf50e3f8ca63676ff3a04dbc17443ae247cc541230c50f23a

SHA512
33576d05c7e57722609e0c18e9820c7772e29dd3141cdc445199d9d3db703a2f31c74e840e8a2ce2a4f2105258a9640ea21863477c87a5d1766a20ba1eb8a077

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
e9a853c1c148fcd6d9eebec5360a633b

SHA1
f063125b8da882938815c5a829b73e8ece66a9bd

SHA256
eaef904700497413e824e156ad03614a5598c0df4ee2b45d19ca3fb24eddcb2f

SHA512
dedcf4bfa23b95a562ca450d3dc6d25592855b46e8cc692e0f785babd307b1645227e6004514b9b79a8634f2292565f8c4b9c0db0f7cc1396b5bc56541767c77

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e3c91832f7bcb90b7d17b9d7dfe1fb0f

SHA1
73934e7e5a49bec4bfcfd5161475a503250509e3

SHA256
7441275da9d61724100b89cf11903ca9c6b7f3b4381f7d2a4235f9ed415fe2da

SHA512
7bcce168989555c25bf3f8edd59d9de3089b117f52e8fc00a880169f7d5f1092df7bcb06211948156612bf1adfe356e88a5078e429b0ee2628b38dd8ea118f7a

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.1MB

MD5
72b25411f725868d83c90b1faa17ab9e

SHA1
7976f23cababc48c4bd39f448bd59279a397afc5

SHA256
f2c546de98ad26ffaf41992ba378c700588d72e01012cbff99210975a8a4ad0b

SHA512
2b16f83fddf99a79e7e3c1d719e7f0d384905612f81bc70ca3067d7ec5bdebcae55d3b47ca83650c075f2a051147c56585870f92c5446de1f0c6c40c268f7787

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
dd34b61bdf9a35c9d311dfe0dbe41f1d

SHA1
f6541e78f7ffd4846c868e7691285e566989717f

SHA256
bc9161957b40d4ea5d0459ea04e4556ab6e556dd706b76fd315d1092a00dc281

SHA512
0c3f6645a4d29ce1d8934920cbbbd1789caf3c0f1374c24ad911d9b2b4b962eadec64654edba4aae49d1f61ab4c16491a99350012b2702710f3ca442da6a6560

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
bd8b0bbfee4f60023dc490ea41c856b8

SHA1
3cf34453969054ff6155c963510fbd7c01472d08

SHA256
4f6a3a5891f62ae49f78f8bf77eff77da62781755d2c06964a8f1cd070d5543c

SHA512
d1a0953075af29759d0ec41eabdac95ab5594190f6c39fa1581b8f776eb0445495c99aae93295cad95dd2c305eb2a826a33e0d5dda8fab8e5b99f6ce8e5be116

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ed6dfd8d1fa3c86b1e0fe5a8d5b0ad68

SHA1
3134af812a30102ac107d59f083333d5bc2e429e

SHA256
2f1d22d966fed1a72f49a66bb70cee4346005aefc1c0aaf8624d694f01a48c55

SHA512
f7acdc84fd8f838cc95896e3fd25cf52cc303f1221cb82ff7044f9f4ff4743ab86037c97106d46d4fd0aaa6b28b0ffcac22cf412ab2124c05202235e93a87dcf

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
037eb08fc8191f75a994be055805b837

SHA1
2828f6f9bd0e77ce0065a55ae70c123ce7825351

SHA256
f069d6154280edd5ed32594c5d5f806e369d5653b044f866072fadff92dea135

SHA512
c29a747a8ab193ca7d333f1421e0aa7bf604d877a6ea5651fdee1734ac87c422a94a57b2616ed447930b0138545d682d42d8bab1017b82921322bc82a32286c6

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d2e37c5de4f368455d686d623dae54a3

SHA1
ae031456f8cd6e405d85400ddd9aee350b9c04d2

SHA256
b53131c1cfeef92cfcbbc73d145c03645bb00ceb5b959ef3aec477370fd1436a

SHA512
d1bf6a58b560499ef6d23b07e5eed44afebc317becf5dccf225b8830dbd6cd7f35bb52be03694228a17a78ef3040522fa0ea4c1e89829cd08378c0ce3b29dbd8

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
8b0496b3f1f7290589beba30262e3405

SHA1
a3350b49a75f32d2b3bdde819c3b2a965973a9da

SHA256
be91e409e4490ded73534fab9d56c014a15705274fe1d47cfbd09649a08a3ebf

SHA512
fe24f906edf178e143560ea7378eae0c5a3594882b920ffa06b2fa8ff342512cef58196d858791fbb13f976d85d21414055c80cad6e1a7fc6c8e545813807072

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
647f4b903537bf644d61ec2ae09f6db5

SHA1
4b1d3eabada240442de365bc58ee7d7f3497d91c

SHA256
f7109e6a45caf4f38e604e7f115ae7efccdd7e191412a0ab54052bbe552a5a10

SHA512
5c5d7e9905dd63731b9643b80565156aa37a0c47833433c3e9ac52ffc1ae0051b08e887dc46f5b16ca55daa58de3baab914e09a747645ba08b0f2db6f2d9b6d5

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
f89bbc38c9ef3edd1f9392f7431a15ff

SHA1
58db065e61e87ed313c4dee6ca86aaa12024e550

SHA256
45bdf9ae08c5e0081e36843d7888ad8f397753a97b5a57f30912e43a01b400cb

SHA512
e9551953e799fe2fd79d88e714259b5b0b5082b1bfccdb46b58a62ef8a268d4a6179eb8d8c8c48b93ea108b8df60455c28aa4b6f80e3eac096e4c90f3d572133

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.1MB

MD5
41cc85108a2af68d890eddef8b4ad538

SHA1
c6cd5a0f248850331da0cbf501b157e12c332b76

SHA256
c12ad977e2a205e3d29201f1723f75b20a0cec0498e83656f71ed059f9c43110

SHA512
d48c9677bf499cfe0f68187e44faf60f6af9d4e6777fa510f325d82cb088349e7146d57832a23c23028207185cbbb72bb5fcb37e08fa7b75b09d7d1ff736ff6a

Download Submit
memory/464-213-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/536-206-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1016-212-0x0000000140000000-0x0000000140197000-memory.dmp

Filesize
1.6MB

Download
memory/1216-216-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1292-211-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1292-504-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2444-215-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/2636-220-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2636-666-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2732-209-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/2920-36-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2920-44-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/2920-45-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2956-665-0x0000000140000000-0x00000001401C7000-memory.dmp

Filesize
1.8MB

Download
memory/2956-219-0x0000000140000000-0x00000001401C7000-memory.dmp

Filesize
1.8MB

Download
memory/3132-210-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/3412-99-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3412-207-0x0000000140000000-0x00000001401D0000-memory.dmp

Filesize
1.8MB

Download
memory/3412-93-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3492-76-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/3492-82-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/3492-75-0x0000000140000000-0x00000001401D0000-memory.dmp

Filesize
1.8MB

Download
memory/3492-85-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/3492-87-0x0000000140000000-0x00000001401D0000-memory.dmp

Filesize
1.8MB

Download
memory/3508-30-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3508-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3508-0-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/3508-9-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/3568-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3568-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3568-657-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3568-73-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4112-106-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4112-208-0x0000000140000000-0x00000001401AC000-memory.dmp

Filesize
1.7MB

Download
memory/4132-51-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4132-57-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4132-60-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4132-286-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4328-214-0x0000000140000000-0x0000000140203000-memory.dmp

Filesize
2.0MB

Download
memory/4452-218-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4504-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4504-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4580-454-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/4580-27-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/4652-21-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/4652-435-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4652-12-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/4652-20-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4928-156-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5116-217-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5116-664-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5240-431-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5240-667-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5244-457-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5244-668-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5436-446-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5436-474-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6108-421-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6108-485-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download