bef38715ba8726a04fa79454e4669835f8a9483f28fa8862e799ac919de263f0

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
Size

5.5MB
MD5

4acdcc30b0509791d64aef3db67aea8b
SHA1

192ddf92990eed0ec5b78246a06f09b3c323388e
SHA256

bef38715ba8726a04fa79454e4669835f8a9483f28fa8862e799ac919de263f0
SHA512

690266e30236ab2b78229ead0624dd989eec43710abca428b24a3290589522cae861940701108c681788c751cceb1046fedec09a46a343436e54b8753f580295
SSDEEP

49152:WEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfv:sAI5pAdVJn9tbnR1VgBVm

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
1796	alg.exe
4912	DiagnosticsHub.StandardCollector.Service.exe
4892	fxssvc.exe
3916	elevation_service.exe
4244	elevation_service.exe
1920	maintenanceservice.exe
2812	msdtc.exe
4296	OSE.EXE
1360	PerceptionSimulationService.exe
4540	perfhost.exe
980	locator.exe
5060	SensorDataService.exe
2412	snmptrap.exe
2964	spectrum.exe
4716	ssh-agent.exe
3048	TieringEngineService.exe
2360	AgentService.exe
5184	vds.exe
5276	vssvc.exe
5388	wbengine.exe
5488	WmiApSrv.exe
5592	SearchIndexer.exe
5852	chrmstp.exe
2340	chrmstp.exe
6140	chrmstp.exe
4804	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6fb0c87392be0f3e.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\javaw.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\javaws.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a5294e4e22a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f84d934e22a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000cd87d4e22a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003773024822a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab0e3e4822a7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133602904594959715"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fdaffd4722a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b84534822a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000629e634e22a7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3fc0b4822a7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2116	chrome.exe
2116	chrome.exe
2580	chrome.exe
2580	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
640	Process not Found
640	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1476	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
Token: SeTakeOwnershipPrivilege	720	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
Token: SeAuditPrivilege	4892	fxssvc.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeRestorePrivilege	3048	TieringEngineService.exe
Token: SeManageVolumePrivilege	3048	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2360	AgentService.exe
Token: SeBackupPrivilege	5276	vssvc.exe
Token: SeRestorePrivilege	5276	vssvc.exe
Token: SeAuditPrivilege	5276	vssvc.exe
Token: SeBackupPrivilege	5388	wbengine.exe
Token: SeRestorePrivilege	5388	wbengine.exe
Token: SeSecurityPrivilege	5388	wbengine.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: 33	5592	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe
Token: SeShutdownPrivilege	2116	chrome.exe
Token: SeCreatePagefilePrivilege	2116	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
6140	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 720	1476	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe	83
PID 1476 wrote to memory of 720	1476	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe	83
PID 1476 wrote to memory of 2116	1476	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe	85
PID 1476 wrote to memory of 2116	1476	2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe	85
PID 2116 wrote to memory of 1144	2116	chrome.exe	86
PID 2116 wrote to memory of 1144	2116	chrome.exe	86
PID 2116 wrote to memory of 4380	2116	chrome.exe	93
PID 2116 wrote to memory of 4380	2116	chrome.exe	93
PID 2116 wrote to memory of 4380	2116	chrome.exe	93
PID 2116 wrote to memory of 4380	2116	chrome.exe	93
PID 2116 wrote to memory of 4380	2116	chrome.exe	93
PID 2116 wrote to memory of 4380	2116	chrome.exe	93
PID 2116 wrote to memory of 4380	2116	chrome.exe	93
PID 2116 wrote to memory of 4380	2116	chrome.exe	93
PID 2116 wrote to memory of 4380	2116	chrome.exe	93
PID 2116 wrote to memory of 4380	2116	chrome.exe	93
PID 2116 wrote to memory of 4380	2116	chrome.exe	93
PID 2116 wrote to memory of 4380	2116	chrome.exe	93
PID 2116 wrote to memory of 4380	2116	chrome.exe	93
PID 2116 wrote to memory of 4380	2116	chrome.exe	93
PID 2116 wrote to memory of 4380	2116	chrome.exe	93
PID 2116 wrote to memory of 4380	2116	chrome.exe	93
PID 2116 wrote to memory of 4380	2116	chrome.exe	93
PID 2116 wrote to memory of 4380	2116	chrome.exe	93
PID 2116 wrote to memory of 4380	2116	chrome.exe	93
PID 2116 wrote to memory of 4380	2116	chrome.exe	93
PID 2116 wrote to memory of 4380	2116	chrome.exe	93
PID 2116 wrote to memory of 4380	2116	chrome.exe	93
PID 2116 wrote to memory of 4380	2116	chrome.exe	93
PID 2116 wrote to memory of 4380	2116	chrome.exe	93
PID 2116 wrote to memory of 4380	2116	chrome.exe	93
PID 2116 wrote to memory of 4380	2116	chrome.exe	93
PID 2116 wrote to memory of 4380	2116	chrome.exe	93
PID 2116 wrote to memory of 4380	2116	chrome.exe	93
PID 2116 wrote to memory of 4380	2116	chrome.exe	93
PID 2116 wrote to memory of 4380	2116	chrome.exe	93
PID 2116 wrote to memory of 4380	2116	chrome.exe	93
PID 2116 wrote to memory of 1992	2116	chrome.exe	94
PID 2116 wrote to memory of 1992	2116	chrome.exe	94
PID 2116 wrote to memory of 2020	2116	chrome.exe	95
PID 2116 wrote to memory of 2020	2116	chrome.exe	95
PID 2116 wrote to memory of 2020	2116	chrome.exe	95
PID 2116 wrote to memory of 2020	2116	chrome.exe	95
PID 2116 wrote to memory of 2020	2116	chrome.exe	95
PID 2116 wrote to memory of 2020	2116	chrome.exe	95
PID 2116 wrote to memory of 2020	2116	chrome.exe	95
PID 2116 wrote to memory of 2020	2116	chrome.exe	95
PID 2116 wrote to memory of 2020	2116	chrome.exe	95
PID 2116 wrote to memory of 2020	2116	chrome.exe	95
PID 2116 wrote to memory of 2020	2116	chrome.exe	95
PID 2116 wrote to memory of 2020	2116	chrome.exe	95
PID 2116 wrote to memory of 2020	2116	chrome.exe	95
PID 2116 wrote to memory of 2020	2116	chrome.exe	95
PID 2116 wrote to memory of 2020	2116	chrome.exe	95
PID 2116 wrote to memory of 2020	2116	chrome.exe	95
PID 2116 wrote to memory of 2020	2116	chrome.exe	95
PID 2116 wrote to memory of 2020	2116	chrome.exe	95
PID 2116 wrote to memory of 2020	2116	chrome.exe	95
PID 2116 wrote to memory of 2020	2116	chrome.exe	95
PID 2116 wrote to memory of 2020	2116	chrome.exe	95
PID 2116 wrote to memory of 2020	2116	chrome.exe	95
PID 2116 wrote to memory of 2020	2116	chrome.exe	95
PID 2116 wrote to memory of 2020	2116	chrome.exe	95
PID 2116 wrote to memory of 2020	2116	chrome.exe	95

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Local\Temp\2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-05-15_4acdcc30b0509791d64aef3db67aea8b_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffec2baab58,0x7ffec2baab68,0x7ffec2baab78
    3⤵
    PID:1144
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1888,i,7792908489359236750,15779721299790999779,131072 /prefetch:2
    3⤵
    PID:4380
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1888,i,7792908489359236750,15779721299790999779,131072 /prefetch:8
    3⤵
    PID:1992
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2172 --field-trial-handle=1888,i,7792908489359236750,15779721299790999779,131072 /prefetch:8
    3⤵
    PID:2020
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1888,i,7792908489359236750,15779721299790999779,131072 /prefetch:1
    3⤵
    PID:2156
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3100 --field-trial-handle=1888,i,7792908489359236750,15779721299790999779,131072 /prefetch:1
    3⤵
    PID:3456
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4392 --field-trial-handle=1888,i,7792908489359236750,15779721299790999779,131072 /prefetch:1
    3⤵
    PID:3192
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4000 --field-trial-handle=1888,i,7792908489359236750,15779721299790999779,131072 /prefetch:8
    3⤵
    PID:2560
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4628 --field-trial-handle=1888,i,7792908489359236750,15779721299790999779,131072 /prefetch:8
    3⤵
    PID:2952
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4692 --field-trial-handle=1888,i,7792908489359236750,15779721299790999779,131072 /prefetch:8
    3⤵
    PID:6040
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4624 --field-trial-handle=1888,i,7792908489359236750,15779721299790999779,131072 /prefetch:8
    3⤵
    PID:5520
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5852
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:2340
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:6140
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:4804
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4736 --field-trial-handle=1888,i,7792908489359236750,15779721299790999779,131072 /prefetch:8
    3⤵
    PID:4592
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1888,i,7792908489359236750,15779721299790999779,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2580

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1796

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1480

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3916

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4244

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1920

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2812

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4296

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1360

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4540

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:980

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5060

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2412

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2964

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3184

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5184

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5276

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5388

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5488

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5592
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5340
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:5992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d3a5b9bce0febeb46c13898a9704a3b5

SHA1
c8ede6879df7647240bde252b96c13b153d8d7a0

SHA256
7f1eefd682969215fe7bfb4c97874bd1af549913ce95a75a89ad5a2807461c3c

SHA512
de023212cf2961cf3277e4adef1f7d97a98d291aaa62b01fd39976bcdfceb19dd775a9209ad084810f7b82bcd4ec6476b16461fe2e667fd6bca4b48efc720b5c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
c19932f305c2dfb67fdd84ed3842899d

SHA1
872908836cc84dda648dcdd981cf3b7b878c3535

SHA256
211357618a767d2c1779eb1d5e4e9764c33ec315e4f87d78dc6f3e1289128105

SHA512
da52afe420796c704e66981f0addef7e33ce68edfbf742405fb2b28f845d2e698b25c7a3e6da9aad77695a991343e826a676b26d5dc01990b2057351d34f1368

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
24b01eb956698e93668f6ad218c24704

SHA1
26b7e8efd6a5ac694f085e5bfb7f911e9cbe0aa9

SHA256
953515d9fcd2c36257997a262c0262c5aa347b4fff8f276af449b9372177a766

SHA512
8f811ff7413dd35fa2c9cd8b358889e1369e2b6b06057910e821f335d1b37b70025a5d0699565c3a79fc6fb735f6612f00ae3513cb8f83b90409978107693f50

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
7e21f9b765988ff21d0b08bef20a1839

SHA1
cf7a224cb0d0a50d980ba89c9580fe9ced0c1dc7

SHA256
762e66406e9c1f57f36cc6e1417ecc6902b85530513cdf41744b81d07e94f88d

SHA512
a7209759377a7913a30ae6fa8cf1956b1e9d324b28bcb76fd6ef46ee3dedc0a23a36c83671de1ccf4522f03452ea8e75c5d1f85fdee587b1f0927183853e3314

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
774221bdb63a83cc8813840380fcb822

SHA1
e3201796795718f6c79b953e3820e5569cbc719e

SHA256
d3b327245d49916ee98c17b44b75dbacb57935845c7b4b0cfee0f87279c91b8f

SHA512
50a5779b0770a7254b7f73944f1c838e3e62363ee3f274dd9b04fdb823e66e6cc538b4e821470a5c356c9b699ce54748fc3838fcbc21249699b710689e1dc3dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
6123155f7b8a202460ac1407e231fbf4

SHA1
13121f6000a380f6621bcb8dc7c83f9cd10ab626

SHA256
dc3766fd1d9f14e305d5483a9e886548c3ff3ad2d8497e26a04c6d8c31e7be6c

SHA512
ef2e48a3517f58cf068d2ed9e202ba4d2a54afdccd4937c74b5c84d5c4fd47d9b92ddcf3b842a102b426dccae53ab3bc9e571a5cf27cb315be4dc58bdaad34cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a98ccfc510bc828e20da722f4b6c1588

SHA1
ef1457741ced2d61710cfdce47441d381f2162b9

SHA256
851c7bb13d38c724d1af45afe578ad831e263f0c99c344efef37da2740e14211

SHA512
9277e44de4c92171fe0a28c179c575e81345bfd3e6538826f94d4873cdfe5d76842a3513c8de867e42103a540a22930b9898243a5aedc5782449c6faa1b80521

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
6f05b7cfb829b5211b3f53032703a0b8

SHA1
4972922f791d3c279216006e4a7269c3847d0dcb

SHA256
e96e587595d6021411b6388272b1fa9c3e20c9479aaa880b968bb6a95e797533

SHA512
9dcb788744112b414addeeebcaf8535e5e5e8f3824f0b9629ead6afe22b2c749ae688d5854b67a14f0e77bb0b19a26e0dc5a58c8755a0f4fc871bfa3f0a464ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
15dd740ee24351c93da5da8225acb044

SHA1
ec296d83202acad22e886177d178c8fe07fdc4b6

SHA256
772b83b72c709131841ad51ef433785cb00031e9018caecee7fdbd8d02dd89cd

SHA512
9da7d4969472cd6a24625b6c10f4bca4d7efabdeaf7dea236041fc2c59e0f779a9b4d9192207f6904f7b5d2099b3ba6f2684c7a59fdce429bba2f72b0cd5e1c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe576e2b.TMP

Filesize
2KB

MD5
80c9ece824708be3255fd46fed4fa84b

SHA1
6ab10396c88f4760224c2820d198207c54f01266

SHA256
1f8af8464e8755fd26db7cc2bf44b59934126100a43b00a66da96ef4bac4e336

SHA512
c8e8c5ce9c0607264264ceb4ccddc869543fc5b9d3929ad42904cefd147938d6523ee61e5ed2f6f46fba1e6c92f8b6dc14300f4c6c7cfb295fe3274677d9ae2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
7383176c08f49fd75052289c8e2cec02

SHA1
d10f9699351906e37ad72390c995c3cfb00fc025

SHA256
9fb8c324a65fb8060c81da09d0778ed756678874b1e35cbcca85967eeb47557c

SHA512
a11026528e298d7c425a64dcdf7954e52b3cd9c5211e90ebde5212c9da6b2e99ec67a5a9b1ae05f85d72d4f7824e103a5e6958de63d6c8cd5298ae522b1c4627

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
258KB

MD5
6d3988451514203a29d6443ae9cc0719

SHA1
8b113eaf9f2a73af6462e64db1ed7023a873fa02

SHA256
0962ece6677e349733e682642d9927bd99ff1e25ddf1a2668c85410c79606e4e

SHA512
8641eebf5839c79cafdd8164f93e60d100636038757cfa03d8c1edc8185af67bb800b8480d98a9eef1d8e5ad0f337b7e6464ecf4a2412f686294ad2c04d3f5b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
b52a36886fce81b17ff177801f19fe17

SHA1
2d7d7ea54ace28ff736fcecb38eb16a5e95ebb25

SHA256
1c6d033d4307902573edbe4928f0085a5a1bdba5c8174efc37ea6ed54d82eb6f

SHA512
0c5e0fb8fcf05707946a64d82a6580808b84b20173f098ca70b8f0a7377fe752cbbe0d874d35d0a252e0ba9fcd33c5572a88d310594b2da2b4156d65b2035998

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
4e28ea05b467997b5c8678ab8c724e45

SHA1
c1d2c8118b68d9632ab0b6066f314a674572efa4

SHA256
03d3f94f2ebbd33e157460646de3fed86c048397f0e63e7eda03c772256137e5

SHA512
31ccfacd78de8c7e5961abab677b5d69990ba17c75cd0ce635a4e783eecfd0a27e5d4844addaa0f63a6ff0c192d2c11713a967245a748a61108c08f68e6a87e3

Download Submit
C:\Users\Admin\AppData\Roaming\6fb0c87392be0f3e.bin

Filesize
12KB

MD5
50600ff8ee33e3fa7c7193b72ea7d6a3

SHA1
4b36b2a38b3170d391ac5cc0a46b96c4d31477fc

SHA256
e121da0b9b329c4dfdf5aec2de63d65613abba9a32cd680dd6bb8e59256b2895

SHA512
2b127a77bdae19b348fade1cdd0275061fd14d9686cd5d391ee30ac33c746c70d2bf532e753aa98521ffc45de178af3346c5d2c40de1f119d916021188b6b5de

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
07fb259e82a7b9cd2eff901f6910ffcc

SHA1
fa683a83775fc4e941d96c8e3b75c7534caba23a

SHA256
8e4a9bf95bf80bf589d8aa8b0cbd1eed5e1eacdad4f2343f8c323c7748e1819c

SHA512
fbd7a85e12ed49764166f08d4c73192b2756e895609c6ed746d6d272c839f80313e2f7bf830397ebebe10a22c98565e4d52b572b413f2f09707b216c0034a87c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
720e1dd6e3a66bf99afb61bbcfec0fd1

SHA1
d590ca05bd81a03e25443370e781d8addd69c321

SHA256
0942fc9350403ccf9e1ae60d99579387f453fa8346d888bdf3125afdfb1ff322

SHA512
ba749c69e72258c92f1cb5e22a48a7f992fe7ced7449087e0e973da384f94faa200811f09a5d6b66facddf337979aa91ba49c6f80f31f4edfb8a065837c5320c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
f8dc53d1d8bd48e07685642737e75e38

SHA1
e1ef797d5fa8c961d984b23ecbb67b77bcc83aef

SHA256
d24571ca47f4ced9c80701510faf318ded2b9376c7e6c295fc9e05c72f0b688b

SHA512
9414f1cb5babce18e07f1ab55e2abe90bae4eec009842557e448b40d943d488e5142ffc862a91257d1d57d427bec5ffb20f450dc0add6ff68c5c71b6e9c40ea9

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
06470cb4696666c8fc23bd6fbee5f0b4

SHA1
fe66524d46e2911b6a83fef7240701fcad17d145

SHA256
8dd605d0605c50d0e81bd0005dfe1479a08d1300cde3e4986773a185f06db192

SHA512
26b623dd26c801746d982a602ebe08f3588a2b7605ad44653544f614e75cdcc127ffca00c390261352cb283168dfebc2d50c01a1638698179f234f862a8ff853

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
9fcc6bc7cdbb89274cc87bf285588127

SHA1
79e14a3fddef4dd4fa4984a9084175f7aa98f534

SHA256
85527b8aad934e65b98dca2c6227d1d55a555ff8440827dae58318cc79cf53d4

SHA512
d5e55a61c1d3ac4a60d76fe456e3b98641df2f1c1bda56c96a772058863ae2e975b1f250a4b8eaf269637a0e54a609a83b770fa68b9f5132cab20213429d26c1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
6dcb2f832071264d0bbc9d653530e363

SHA1
eeb6bd48e3f05df0a3be28ebfe62ab7c76ee7c9b

SHA256
eb4db704bd672c83b8b8f614578237121e2b23caad743f3c14660e1da007ada2

SHA512
1f6347d944451d5d536b105782e7a146f068ced349091ae21fcd76636f15b9d7bc14a5a1ddce323991df177293fcd0c12e1c5993bb55a95ec7721558d1d8fe45

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
25f2c955dd890cb892ca5749dd232ef8

SHA1
12b0007b3b621582fec28852f369641893f95cb6

SHA256
f2d8fdcba883cf7428403e0dfa1459cd950e389c2f30dc7e03b19c3da48e4602

SHA512
58a221b2c656c084f69deba4f65f7711f2cbbfe7572bfae4cd7fd2d6c142619b4a7a31c4dff090cc6d329ed77315ca4d3a9b4ec81c6803d672e710ac081f705c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
44da680a38818c22520de12658916e22

SHA1
26181e3a1a9ed80c22121eec0b4918e58e8c762f

SHA256
ae763d6f5e8cf1d81ada3264802dd473521bae0d0b7848fe09a1e13ccfef346a

SHA512
9e07af57fdd192804db8574d53f47d4ab1bc2ea7b2d3bea356ac720493c336b711c5d2e3ff8c879fb47496a5562522c4733fc73822502d460aeb09a9520d18c2

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ded1143496c78ff5800d179230722e1a

SHA1
62cf0824c0779ffb1c17e624de3523ced58cefc8

SHA256
16dc5397c55cdad7045ac10130944855bcebe52f41577aea3b0e16383256262c

SHA512
6368addca7979455506f8727bdc9fd90f8779dd29084ea6d0cc8bc7520d73b8a59818743ec9a28d3ef7ebe762966f85a3a1b007b8b92c843fa7542c49de17e7b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8a3ee2668ac19e985b4bae9b4e956116

SHA1
dafe0838237f3c8ca32d6a5e0e0643a3c92b2a5c

SHA256
c2472e96829ec343fb53d00e2dc9983af9a3430df197c06dbaffdff73e5a1666

SHA512
ea6491a93dfa87565a2bcd9be0898e5947d82c7fdf2a3a88d96caae1cffaf1d76decdb756bd40369ef9e8fe29f6356e631bdb1aee2d4215bce40d4535d9b1b8c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
efd655bc77736f93d7bdefcdd439ef72

SHA1
cba29471fda47d3cb065248e48ea1346a17bc2bb

SHA256
69db00065eea44ed7d36c01025ecd5face95f284922f568066f4c9ae74b7320c

SHA512
03e56095bb3247a58b0f426ed7cdb56215d82dadfa670dd46243dcb55da3f1f6a03b86011419d150cd0a82fa94f76cf0acd851b37134b5db16132cf27c8728ca

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
4658b84a2d1f4a6d164f85ca911f98bb

SHA1
5fb11f5de8475586d90bdc3fc4de66ebebe240e7

SHA256
b5e49f13c752b3d51c1061e38785378602cb478b19b79986dc76ccec26ebcf53

SHA512
95bbedfc886b6086bc2afacc3844627928594f36194faa5cf337200448bc407cc3206b4e191fc05867dc2f14beea105736f0c382e745db1a4443384a31b309ec

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
cd5ea90e8dc015438a71a73378c5b686

SHA1
542f4e2cf609a43c9394635d8d07e41c19f98d9f

SHA256
69b45f07ba7595b37934bb6ff7bc21e5ea33372872552d02a845e31dbffe3427

SHA512
2734b0ff622c1ee6f5a1e6bea6189175da0cc8c5fe470539b30eb8634235f0aae87f2332e86156347e3b99131fc8e656cf7c13857beef535fdb5b7e6956b7074

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
413789b5f8b4bf2681cd1b17dcc2a458

SHA1
9289bfb041f7fae3a3255b4d7c7615955163b4df

SHA256
9510dfa8be56e1a3f10d28a3894427b0c155d51a478e8f53e65e05527b7a54c9

SHA512
518d211b5a056b1079a61655032dce260a3d902bcc88390ea7a2916e75dab65e942f085a8cdc6cc41f1395d0b768af175a5b22f9146efcbc550920ae2dbec648

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
50031655720c0b2f2c3327c1deab4790

SHA1
9b065b22b27d80c0b2b51f795c0a2839ae218576

SHA256
ef9d0db578f2c843d68258ef81321a1f56a0c3168ad74d03f1035f883ec7098d

SHA512
14ec7b4cdee2bf6874cfa1951291a3614b082ac8f6ff9a6ea75a9da39ef643b0aec881ccbd9830002e6a7e5294cb8ecf5d294454bd792f39274cefbefcb5ae95

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e568c345e6098da38c7b0af76655d8d9

SHA1
405985fc4a4fa3b6d0f7c64df4ed66f83469259f

SHA256
23e4bc6a17d2b3221c850eab5fff116e08fa6cfff49efaff5dc9a86311130386

SHA512
32dd272c8fe7bf9fbea940436598c62035cb7c917404a4ce27f2a30b974dae6403910c623e25f65b3ca99f4dc6c4b11bf76a3048a4090083756bdc0b36252441

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
374cd1a2dc565a1416a1711b1868b437

SHA1
273f0b5ea3b29f541eb0bc877e4c598048ac2585

SHA256
74d1357225aeef74dd563d9ea5660ef400c15ca6c3ac8ad17ce57d0081f42446

SHA512
523ba30c7fb4691ef72e564a81b8749e1aee134ba2dfb4c55ae4a0087e4d939564c84214dd0fea9f4ad7e355a041a71ddc9a16efd3bde28327fa6e88be4d9fb1

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
96cffb902f81823b610f1f1fc1213f24

SHA1
038bd489a3c3928f871ad6a4558deb9d12951843

SHA256
95de257be5c849fd38bb6ba198e1fcdcd4d09800a9718f485cd1b382966024c0

SHA512
0be1084c198b96da26ce882781f5c35eaf364677dff2b4ae22b4fd580d791874fb2b9f31cea676f3d8b6dfc31ab4da4d0011026e94da44af708de21454685f4f

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
f8da1e3912337378c0f722f616cf6aaf

SHA1
22482c3e69a3b76d24d4e88d30e345654afd0338

SHA256
342768ee193e599905624366abf160660028ba384d57ae4da8734bc9473b010b

SHA512
b72adac4dc3ef8cd0c1275eaf376da652f8aa271a162aac1a54571f6f93c0e5fe9fec69a9cf380f84fa3ce438f06e3c9c2493a1d422f5d1bf4c46d6962ca9f47

Download Submit
memory/720-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/720-11-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/720-169-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/720-17-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/980-176-0x0000000140000000-0x0000000140124000-memory.dmp

Filesize
1.1MB

Download
memory/980-309-0x0000000140000000-0x0000000140124000-memory.dmp

Filesize
1.1MB

Download
memory/1360-155-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/1360-285-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/1476-154-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1476-34-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/1476-6-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/1476-0-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/1476-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1796-37-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1796-175-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1796-22-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1796-28-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1920-94-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1920-114-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/1920-93-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/2340-701-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2340-503-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2360-267-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2360-271-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2412-201-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2412-485-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/2812-122-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/2812-258-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/2964-220-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2964-490-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3048-526-0x0000000140000000-0x0000000140171000-memory.dmp

Filesize
1.4MB

Download
memory/3048-253-0x0000000140000000-0x0000000140171000-memory.dmp

Filesize
1.4MB

Download
memory/3916-66-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3916-67-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3916-73-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3916-162-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4244-81-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4244-88-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4244-230-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4244-82-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4296-144-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/4296-281-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/4540-297-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/4540-172-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/4716-517-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/4716-239-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/4804-702-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4804-540-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4892-76-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4892-56-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4892-78-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4892-62-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4892-55-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4912-43-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4912-51-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/4912-52-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/5060-322-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5060-637-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5060-197-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5184-282-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5184-629-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5276-638-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5276-289-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5388-306-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5388-648-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5488-649-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/5488-318-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/5592-650-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5592-331-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5852-488-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5852-569-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6140-525-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6140-562-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download