9d6f757f4bfcd703901b3aba771dcc876be6dfabc693d653f060facc738f67f4

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29/04/2024, 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
Size

5.5MB
MD5

2f5783d00ba0ca5e69720bef1f4b0fe4
SHA1

e6c1b377da6c10b7c34d2733e51b95553b53a5b7
SHA256

9d6f757f4bfcd703901b3aba771dcc876be6dfabc693d653f060facc738f67f4
SHA512

9b896df895d559485df927e54548738fe1c9c62277f03af1d9093890093793ca07598784ed3810e09dfdfdbe1c74e6f6268c66420ced5e2704ca04cae0402281
SSDEEP

49152:zEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGf6:vAI5pAdVJn9tbnR1VgBVmkQWdO

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
1456	alg.exe
4712	DiagnosticsHub.StandardCollector.Service.exe
2092	fxssvc.exe
5012	elevation_service.exe
2516	elevation_service.exe
2068	maintenanceservice.exe
1096	msdtc.exe
456	OSE.EXE
2172	PerceptionSimulationService.exe
416	perfhost.exe
5032	locator.exe
5108	SensorDataService.exe
1044	snmptrap.exe
2944	spectrum.exe
1032	ssh-agent.exe
2292	TieringEngineService.exe
4600	AgentService.exe
728	vds.exe
1388	vssvc.exe
5208	wbengine.exe
5332	WmiApSrv.exe
5464	SearchIndexer.exe
5276	chrmstp.exe
5808	chrmstp.exe
5968	chrmstp.exe
6068	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e7ebd0814a48edc7.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\DenyUnblock.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\java.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\javaw.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a02dea1e6e9ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a980e1e6e9ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3128	chrome.exe
3128	chrome.exe
5624	chrome.exe
5624	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4136	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
Token: SeTakeOwnershipPrivilege	3672	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
Token: SeAuditPrivilege	2092	fxssvc.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeRestorePrivilege	2292	TieringEngineService.exe
Token: SeManageVolumePrivilege	2292	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4600	AgentService.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeBackupPrivilege	1388	vssvc.exe
Token: SeRestorePrivilege	1388	vssvc.exe
Token: SeAuditPrivilege	1388	vssvc.exe
Token: SeBackupPrivilege	5208	wbengine.exe
Token: SeRestorePrivilege	5208	wbengine.exe
Token: SeSecurityPrivilege	5208	wbengine.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: 33	5464	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5464	SearchIndexer.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe
Token: SeShutdownPrivilege	3128	chrome.exe
Token: SeCreatePagefilePrivilege	3128	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3128	chrome.exe
3128	chrome.exe
3128	chrome.exe
5968	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4136 wrote to memory of 3672	4136	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe	81
PID 4136 wrote to memory of 3672	4136	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe	81
PID 4136 wrote to memory of 3128	4136	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe	82
PID 4136 wrote to memory of 3128	4136	2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe	82
PID 3128 wrote to memory of 3772	3128	chrome.exe	84
PID 3128 wrote to memory of 3772	3128	chrome.exe	84
PID 3128 wrote to memory of 3676	3128	chrome.exe	93
PID 3128 wrote to memory of 3676	3128	chrome.exe	93
PID 3128 wrote to memory of 3676	3128	chrome.exe	93
PID 3128 wrote to memory of 3676	3128	chrome.exe	93
PID 3128 wrote to memory of 3676	3128	chrome.exe	93
PID 3128 wrote to memory of 3676	3128	chrome.exe	93
PID 3128 wrote to memory of 3676	3128	chrome.exe	93
PID 3128 wrote to memory of 3676	3128	chrome.exe	93
PID 3128 wrote to memory of 3676	3128	chrome.exe	93
PID 3128 wrote to memory of 3676	3128	chrome.exe	93
PID 3128 wrote to memory of 3676	3128	chrome.exe	93
PID 3128 wrote to memory of 3676	3128	chrome.exe	93
PID 3128 wrote to memory of 3676	3128	chrome.exe	93
PID 3128 wrote to memory of 3676	3128	chrome.exe	93
PID 3128 wrote to memory of 3676	3128	chrome.exe	93
PID 3128 wrote to memory of 3676	3128	chrome.exe	93
PID 3128 wrote to memory of 3676	3128	chrome.exe	93
PID 3128 wrote to memory of 3676	3128	chrome.exe	93
PID 3128 wrote to memory of 3676	3128	chrome.exe	93
PID 3128 wrote to memory of 3676	3128	chrome.exe	93
PID 3128 wrote to memory of 3676	3128	chrome.exe	93
PID 3128 wrote to memory of 3676	3128	chrome.exe	93
PID 3128 wrote to memory of 3676	3128	chrome.exe	93
PID 3128 wrote to memory of 3676	3128	chrome.exe	93
PID 3128 wrote to memory of 3676	3128	chrome.exe	93
PID 3128 wrote to memory of 3676	3128	chrome.exe	93
PID 3128 wrote to memory of 3676	3128	chrome.exe	93
PID 3128 wrote to memory of 3676	3128	chrome.exe	93
PID 3128 wrote to memory of 3676	3128	chrome.exe	93
PID 3128 wrote to memory of 3676	3128	chrome.exe	93
PID 3128 wrote to memory of 3676	3128	chrome.exe	93
PID 3128 wrote to memory of 816	3128	chrome.exe	94
PID 3128 wrote to memory of 816	3128	chrome.exe	94
PID 3128 wrote to memory of 1696	3128	chrome.exe	95
PID 3128 wrote to memory of 1696	3128	chrome.exe	95
PID 3128 wrote to memory of 1696	3128	chrome.exe	95
PID 3128 wrote to memory of 1696	3128	chrome.exe	95
PID 3128 wrote to memory of 1696	3128	chrome.exe	95
PID 3128 wrote to memory of 1696	3128	chrome.exe	95
PID 3128 wrote to memory of 1696	3128	chrome.exe	95
PID 3128 wrote to memory of 1696	3128	chrome.exe	95
PID 3128 wrote to memory of 1696	3128	chrome.exe	95
PID 3128 wrote to memory of 1696	3128	chrome.exe	95
PID 3128 wrote to memory of 1696	3128	chrome.exe	95
PID 3128 wrote to memory of 1696	3128	chrome.exe	95
PID 3128 wrote to memory of 1696	3128	chrome.exe	95
PID 3128 wrote to memory of 1696	3128	chrome.exe	95
PID 3128 wrote to memory of 1696	3128	chrome.exe	95
PID 3128 wrote to memory of 1696	3128	chrome.exe	95
PID 3128 wrote to memory of 1696	3128	chrome.exe	95
PID 3128 wrote to memory of 1696	3128	chrome.exe	95
PID 3128 wrote to memory of 1696	3128	chrome.exe	95
PID 3128 wrote to memory of 1696	3128	chrome.exe	95
PID 3128 wrote to memory of 1696	3128	chrome.exe	95
PID 3128 wrote to memory of 1696	3128	chrome.exe	95
PID 3128 wrote to memory of 1696	3128	chrome.exe	95
PID 3128 wrote to memory of 1696	3128	chrome.exe	95
PID 3128 wrote to memory of 1696	3128	chrome.exe	95

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Users\Admin\AppData\Local\Temp\2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-29_2f5783d00ba0ca5e69720bef1f4b0fe4_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3128
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa4a9aab58,0x7ffa4a9aab68,0x7ffa4a9aab78
    3⤵
    PID:3772
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1912,i,11055862991727822070,14332748670099474098,131072 /prefetch:2
    3⤵
    PID:3676
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1912,i,11055862991727822070,14332748670099474098,131072 /prefetch:8
    3⤵
    PID:816
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2252 --field-trial-handle=1912,i,11055862991727822070,14332748670099474098,131072 /prefetch:8
    3⤵
    PID:1696
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1912,i,11055862991727822070,14332748670099474098,131072 /prefetch:1
    3⤵
    PID:4340
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1912,i,11055862991727822070,14332748670099474098,131072 /prefetch:1
    3⤵
    PID:1576
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4344 --field-trial-handle=1912,i,11055862991727822070,14332748670099474098,131072 /prefetch:1
    3⤵
    PID:1752
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4532 --field-trial-handle=1912,i,11055862991727822070,14332748670099474098,131072 /prefetch:8
    3⤵
    PID:1872
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4272 --field-trial-handle=1912,i,11055862991727822070,14332748670099474098,131072 /prefetch:8
    3⤵
    PID:3416
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4912 --field-trial-handle=1912,i,11055862991727822070,14332748670099474098,131072 /prefetch:8
    3⤵
    PID:5996
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 --field-trial-handle=1912,i,11055862991727822070,14332748670099474098,131072 /prefetch:8
    3⤵
    PID:6104
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5276
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5808
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5968
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:6068
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 --field-trial-handle=1912,i,11055862991727822070,14332748670099474098,131072 /prefetch:8
    3⤵
    PID:5616
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1580 --field-trial-handle=1912,i,11055862991727822070,14332748670099474098,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5624

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1456

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1528

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5012

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2516

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2068

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1096

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:456

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2172

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:416

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5032

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5108

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1044

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2944

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4704

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2292

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:728

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5208

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5332

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5464
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2596
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:5652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
08d3ef720161e56459615fbec159db34

SHA1
60abdae5aedce48924b5d65f663b2146a83021a7

SHA256
5fd2bd8ce801e918856b3148bcb359fd3adf7fedff65a226e949cedfd985e9f5

SHA512
747b5089448f4c9d67143baecbbc58756a30900c803916332ecc6a428e7937f9e97d7be68906755f6ed34c791862990ea0f16f554bea4a8ab9cf33c14f534dae

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
0066e478f8840cae5da2064f24f929a5

SHA1
9092bed747d77a6502716b83c53e8fe778b1da84

SHA256
560965b98d5d89974fdecd7fe9965d2f0c4cc7911368c3cda0365c3adabb3d9a

SHA512
ed963ca5d5fb0ade5385145294f77bc1de3e6687ca0e3de27d05c3637cfb76d5c0db753a599d3061a9087c3063b385617930d5dce00cb9b7bc8f29b0200b93c8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
0717c1e057de02b4aa5b5b472cd617a2

SHA1
284d89783b91021a758aa011aacf6f4171efa325

SHA256
3dd6d588c14e40164fc3fc27da87b71da0b866374ca270705df8efc61fa6ce7d

SHA512
a102b4016892b7f776a36493ca195e75d4c53194808a4077c071bbd0fa0d5f0079a27d0664ffaf5676a820dabdb55171a9660c3a44a2a98c3567b85ab11acb70

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
3657054f81c087051fd1fefd36fce3f4

SHA1
5934dfec6c12a02aa47bf59aaefd19584deac810

SHA256
97c4fb04721cda8ea797e73955a61a572c99a08a10397fee545b1a4a4b6c6497

SHA512
ddbe553c6e5bd06c1ca1a63b3db7456e91538c1f2812304d0b7585a821490d9e708762a80b2551268eb08c949b5717432f0dbc11c14a69942553621dda262df1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
317937ba17e4ebccf5f78b05ca6d9206

SHA1
45a9d4cf697b1c021d290612add446343c07c16c

SHA256
69f4d7b012c64b8a9c3d50e1d4084b608f22b32b10df659f1c53a6d419aa8b8a

SHA512
0eb71eef63d0357da4d6d6b6dd48c87641a98813931891ee84dba2470826e1e19ce2b017f7383252f44858d6026f4dafe6fcfc138e9a098834a44dfcfb3e81da

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\c0a0d87e-f7b7-4330-86a5-1615ded1be85.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ead5c5b65992ef68cf2eb90edd0f8846

SHA1
e23f95767614ce9830147ec6ba7b0b5ca18a8101

SHA256
be7c1faec23a46d25250554bdeb10d8f49b4fc3176004c914f34cd0c8caa990f

SHA512
043645f254ad57e33e6968a60ad645630ca980de7555b410631fbc597bdee7402e1f4b15e7d522537f01304ca08400fd58a69609a125e7440dfa3f1bb33d1077

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
344a5a1e822e6de1ac9a22dfea4300f2

SHA1
e20b3deebf62ddfed5a653b83d877c0a350267f9

SHA256
356549b6c98e055207887c12edc70e3d31a21ab2c4ca1c953f297915101f45aa

SHA512
940d0da91d992042a1166f9a04fa21f718edd38d422e9d25e23c724b27ff17fc0ae5020544ad2f90af1e912d8095fcc5a3ffb584d685b5f682c1457977923dda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
565aff2f931d4ce40731aab2efc99d1e

SHA1
32d948685f2f8445c1ecc6c8ffdc40263aa65abd

SHA256
acd53756a6964ccc18f97aa1c0269f620ebf2c83f3e48974183f6e6771538f6a

SHA512
f4531b68c1cd7fb3607ab1a22db10c3a88cac327eeb56b824b6ec13886a436c09bba1c3c000bd9013420843bb66750c4bfb09b509cf5cc5471928567238a3b2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e56bb383ce7bc115012b50989a0bf816

SHA1
f80e46c2d0c51450b71513fa6fc711259af7f7c6

SHA256
5de8077af36efb3cb289c3465c5fd3fbc23d53746b6f1a3b09fab7e74a42c31c

SHA512
8c5864612aba1c81474aef2e0b8fcbb1a170b0e333947e8bb0bc296b76faa36676c5b0cd6701baf3bdb0b865e4aca6b8898d8e124f1cd4f0a3753ed45e271d52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5769b6.TMP

Filesize
2KB

MD5
056cebe70ead07d8acc38f1ddd50556b

SHA1
906167b4de443ef14bb095ae8f196165c25d17e0

SHA256
bb4c89650137cd1ed35cc2299d77c4b282072dd0e43418272d06a04c82c3733b

SHA512
ba3fc43ac1e418b5c33910a18aa115755a4350b946b3a6589b77361b95f5f109973c3a072b4724ae9590f8ef2cdbe52ad0958be62d7d08ac46fd90dc3de00fe6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
a364bc7ec067288e0770b983cc6d8871

SHA1
0a3ad745fae5247ea9b91f4f0a546f24e4aa5ca5

SHA256
9ce7ca0dabd8759c7ed1fe9812bb9f6dda9f52aff3269a99210d9246018cdabd

SHA512
74053f7ef461e8b13a6cbed473dcf1ed5019cc356968eeb31de8ffce9fef225c8633b4076b588b81cf766f2374152fca52afda7c1a37a05ff1f7de40c582b705

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
d960f204c13f176dd435844bc7f2c22c

SHA1
f9401ad3ce9081eb243a737aeeaeaa54ef26e264

SHA256
4c787a892ce4b74d98707f0f34da1132c17a30b185b1c346a5a1a179dc59a132

SHA512
3cd72ce4dfcf9776406b3d2b27bdbef9034c52d7e16137bb8ab8da8adc32aca6739992ef414666b3e97af99e4103b25df6da1fa38b8685a4a5e5a09e740bc535

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
6556973901a750d92e0c3d3801d228b2

SHA1
f97f26a45e11b64500b483c0560234bd7034d2eb

SHA256
ced9a8cb17cad9038cc7375ebbc0593f48d15a5f288baf513592536ce4cd3ab8

SHA512
e4d9c16101b9cc20bb4d7d838ca08ea81fdadb793629a7223121bb7718d31d3939e4392c50891139bda908b55e3f37eb82cfc85e6410979df7e0a9d59ca3efe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
7c8aefe87e529a7a1612889a01a8dae7

SHA1
671e43cb13fda2477f39108c302813cb30ab44b9

SHA256
ac80a174d77e950375eaee8369ff85748c2dd12f803ed87f5ff57fd809fdcf59

SHA512
1e7fc3efacd6c937c6e73985abfc183a713be8fe1c7a896994fb44ef883f3806c6045f9aa2c8abcae1d23faddc8a5c6df5bf7f98a5a8e227996d70f1c4a17dc1

Download Submit
C:\Users\Admin\AppData\Roaming\e7ebd0814a48edc7.bin

Filesize
12KB

MD5
5b3b314d20a28003fb024c4a4c173eef

SHA1
3d610032c7055a31dbb9a9072eb2ebe4c136700e

SHA256
7e5202f2913ba7dc06ec071b9d15f16c760e837c4a5b6a9096b9cde9e4a7e7e1

SHA512
3ae33bbce9cf149de2e22e218d9627d45d61ad9e95efebe901295c8aa6f21e93d85324433fc5594a15b52fe9a6a461250b5e94ce48c09ee1fe957e74294c8fbc

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
054fdffbc2859f9d8f2dc4d80acbd939

SHA1
1df63b535260fe4fa3cc254f2885c2e3e4e71a28

SHA256
71975293107d7939d01c481e356850c3c7ce250c95406b330e9c7c9553067636

SHA512
ce25a04a442427eace035284a76ddd0c146643ef51e16b04eb7f7fbc00f36b655295d621a303ae3d8d7a454fa1ce5a12aeb85ed90fa700edee9f5d36d721fe90

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b722b29bb17b3eb11f971df09e3bf9e9

SHA1
8b178c133cd4d57f951ef283e8e9e5c2796918dc

SHA256
d223f9d410de312ffda473a20b0be170f36fbab5963791cf3e04fb2c2058322b

SHA512
d7e9f2cd36586e364335ac104caf19bf3a8cff5b6d22ea2472ead2c30c06f7e1637487679d2457a12d018f84c3fb9b5c4ea13cdaa524d691dd26db61e892643a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
2bcf029939713b0342bf2b5cc9b74ee2

SHA1
f5594b62b3d73a0de7e1a34ec6995e20252c11b7

SHA256
7a184a4565ca407788b3019309f5bd477473fdc3843ebc6c5fc2239b1110069b

SHA512
6681f7045870d1927fe7f5af4991b5dfc2a6065e38e5fa33e63ab3b7a2b37b1962e80c52cf8a41444f8d52fc85914a34e534f3bed18ab4089571f79228c0d7b8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d84d59463f0171fef9ba109c500884c2

SHA1
771f795703d4ab960c1a30ceb030d1f765736f5f

SHA256
f73a7ce95cd00d2ea2c4c7a442003bfc5835948596418ad99ec6f624fa6788b3

SHA512
0188002b5df168dca6526dddaa621e91492a81a2cb57d5e4e301ade2fee87bc70ba4dd2d71f643f64d53b0618995e5996454337c217f8253b65a39266c700384

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
94afaad6d6f90152d14bcb79d68f7bd6

SHA1
2d78c0d8fb415a403827680497578a6d682ff3e8

SHA256
4e46166ddffbfd40076fdf9f7dbd112bedf81be68df4315b0415e58b30d0c0e3

SHA512
e6e97e3ad4f2f7832bc71b1127ce6497fa92431fb3b0b671dc0561853829cd5cb7468660cba899fd991d733c45c4ef68850f738e20ef646b2a56a6e126e18b6d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
aff51f2576d093ebe6be4ca28477538d

SHA1
d78489a77741437a9736c24eb6a5e107cca5c787

SHA256
7706938a2467aa17e0bfe80a5da5c92d4f1f44d3fe070ce8d7df8f03477e76be

SHA512
afaaae6a33992c10f4f932bfdfb4b6251915bac8e2cb04a535976653bd457ac44b820a833f12000d9623ec869660ff5a96b5a8e7318f4f1c8f6c321a5ac3dabd

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
85d860042807053531b7f246d645ba57

SHA1
6868c0654923ce3dba79225d3e107bcb0f048d2a

SHA256
24f3d7f6e18595c0b70e465991f1a8d5af66194ceb0b63e752f7c6084c42739e

SHA512
0cc6bda878da8586e9489a72dda6048b4d95c6df5285a6d81ff213fa9d838a40ae7614d12a7bbc6afdcf7032b9dd2479ab8bcadb270af68d77bc589942c7d38d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f8a1d788f9dfc2ccce624e47785e7afc

SHA1
8090e06e71e2d343567cc39695301f6351f1e26b

SHA256
f6c7a41c86521144653e741543ff10af5b8e6d6f32de30f4439fb1d56a2393b1

SHA512
bbbe5f0536fc4996d9db34dc7aafc9e86ca6c981325887eda5ba3a83c4600bde6b49d192928e8b548fa836705f79d48ba9562c6cee47021aaf928a6452cb2df4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
6dfbeb8ceb995f39ff41caaae364fde4

SHA1
f18afbabbe82044384b6404b9992964d272afe36

SHA256
b5fb9dd70a765d4ee03704ce5cd9d18148ae8f5280cf81c4853be351739b0025

SHA512
c36d3242ff5205b78e4d06b2a8b8a0e8d2eb9b23f756357c34dddf0a8b741fa6e71b54122580738503f5eec06a24461258ebc0b3b99999be190231d726212e77

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2df81a4ca3392c576385bfdea204db9c

SHA1
e695591734a4345086f03fed51b623fbd0f92518

SHA256
6908c6594e58f06ccc9bd948bd26c4183d7c9d0577483a1e49abc64ea4107431

SHA512
1f352f1af8fb6893408b6850e5df8a6f4aff4ca8ee096d22cbd54878d9b2bcd628c991de6504cb97d07aaa8da85949b5c961925979b2fdf9c84a9ddfb6801355

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
0cf6995ca00161f210c701815e24e5a7

SHA1
2fb62342141b498decfb1c077e76f8e57fdd321b

SHA256
b5f820c65e1e470bcb9b904bad6bfd10f06974b8c46d03843c9e793fc0667c3d

SHA512
948c2b6ae83bf2531b991da2a003f5e9a35263e1d2827450ed946bc99f26dec480569b16384feac604dd81c6d4dc6cd7a5ba2375db967382360d3e7636226b21

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
0fbee3bc9b2259d6e347478f41cb147a

SHA1
14c0ba09ffdc95f5b05944a2efab259ba2293938

SHA256
2f05ad583051dabceec87f8ced1ae68519ecc8528c09a30ae267fbafd369fb77

SHA512
cb4dfc6a24a554cc1cdeacbed7b47aba5130322cc5a51a463fcde1c40cafdb0d45feb00f865bc650651583263f9c2650ae1aa19ef96b34a8250a03a76a8c17c8

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
9f763b017bf7d996030858f6920760ca

SHA1
3390f81e78924df65873a9af0041a4b33de2ca9e

SHA256
54e2b1422ca14ff74d11d1c67616af7fd6ebc694d2abfcaac69ff6a91244481e

SHA512
ead8145115b643f20d1257f233488827f00afb4ee506d0ab2ba939941d10b41d246cc838d973e319b4bf23406ad2420cc17901952cf978c2cad162e348c00b56

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
0c0db835b79f8eec5dad369af961d268

SHA1
2a6da4f36200ba2b5921cb6d91881cacead412ba

SHA256
39965c1e6db81ca69bf2a791ae061183015a6c28764d29f88025a3d462e60352

SHA512
dace1e13f0d447f32daf20ae556bcd2af60d20bfe2b902a42b1a43f81ac04aea16cfe732454ca9c5f31b8371dc1146acb844dc3effd2267dbd6839928f1b3738

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
ca514891d83f35fc35f96c655c841654

SHA1
fdde772848a0edc9830ab37941759f44ffc8bee6

SHA256
80a78c98f7337c553ebf683a1e339338a3635d66cb53e14f027abde16944a52d

SHA512
0a47ed96f49ce2163938bb42cba99a4b56fd0a26bc1644b2105d8c3d167c135e4412d806651c6a46a7e4dcae6d63b4bfed37028a7bebe9561eaf4a448b0e38b9

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c0ee374f61c3e7bfdb54ab20c3780e26

SHA1
49c29fec4b267810a34781924b6aae660130d351

SHA256
f7b46227f5af8e5ccba04269541b0184a0430169d9ce0a9995ee74a662c57adf

SHA512
62c696dce9f9a6cf81c8a0a4cf3c47f99db28ea80bf1a1336c703dfa562ff4bba351804bb7d8834942a5e6488737f7f0a2392a241174be6cd3b1d950853b1e13

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
999a9c9b1afc61d114b7b71d915030d1

SHA1
f8d26e12495c83e6eacf59458001a1e77d641f30

SHA256
dbd8040f7f88bc4adabee66e23cb28a3bb8877b864d98cdaa979e6203cc553f2

SHA512
56856deed7a51ec388e2a70fe84c2cce768646672b50c6ee637ec41fb0abe5202f4a521e7cee5482e67067838670210b64150cd392780d080f95308f1fc58bec

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
65d4e33af780004964f3f1ed4b3d181f

SHA1
d5ef2e73deab4630fcc97c53b41ba49bbb010122

SHA256
adde4bd854f6bb398b92a6a57215eae4492114e0f59ce67adc246917fbc7e0c3

SHA512
f27f030db827c100b9573c031cc2f4a11250b6167d2103eb1bcc92332e40be89c3ab44a6dfdff8526ce4c6bbd6c9b221bc182127ad92ed232cecd161ad59b8de

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
295c35172675c56d85b3271fc5adbaf7

SHA1
fc8f7052aa2fdfb84e7cb6bf027db403bcb8cdf0

SHA256
f022aa4752d0400339634741871e82f3bb6e1dc719e1ffe9b3987e457c01bdc0

SHA512
15813f64afc1d8f3fb24db561e3b68c8efcdfe45dd0768d53f85b32e72352c0f22240b9f4156dfa8feb88fde664025c75d3fe6594c957aa961fc010496f8548a

Download Submit
memory/416-196-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/456-143-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/456-481-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/728-663-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/728-251-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1032-248-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1044-199-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1096-469-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1096-115-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1388-262-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1388-672-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1456-32-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1456-40-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1456-240-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1456-41-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2068-106-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2068-103-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2068-92-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/2092-77-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2092-61-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2092-55-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2092-63-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2092-79-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2172-156-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2292-250-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2516-87-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2516-81-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2516-290-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2516-89-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2944-598-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2944-245-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3672-15-0x0000000001FF0000-0x0000000002050000-memory.dmp

Filesize
384KB

Download
memory/3672-24-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3672-9-0x0000000001FF0000-0x0000000002050000-memory.dmp

Filesize
384KB

Download
memory/3672-154-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4136-27-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4136-6-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/4136-18-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4136-20-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/4136-0-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/4600-244-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4712-52-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4712-44-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4712-50-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/5012-164-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5012-75-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5012-73-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/5012-67-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/5032-195-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/5108-666-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5108-198-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5208-682-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5208-288-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5276-471-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5276-556-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5332-299-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5332-683-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5464-311-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5464-684-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5808-486-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5808-685-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5968-516-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5968-544-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6068-530-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6068-686-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download