243e3d0323b14bc6851e8b028a16edf3cb3de1e68baf83de7156b291fe14d5ff

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
Size

5.5MB
MD5

cfecf5c2290aa061900a3873c6594e32
SHA1

2fcb9cf9ad0520afaef2718fa2448923a078ab13
SHA256

243e3d0323b14bc6851e8b028a16edf3cb3de1e68baf83de7156b291fe14d5ff
SHA512

724713b9b906c3d34e9320f8ea9a8ca89c60916b5364c2ac13479c7c59e9b252054c0588d8e99ad40d6b52c84c20e52e23d8809be5d8e52b89f155f611f12902
SSDEEP

49152:wEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfo:eAI5pAdVJn9tbnR1VgBVmGqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
804	alg.exe
4236	DiagnosticsHub.StandardCollector.Service.exe
3588	fxssvc.exe
2844	elevation_service.exe
452	elevation_service.exe
1172	maintenanceservice.exe
3368	msdtc.exe
468	OSE.EXE
4336	PerceptionSimulationService.exe
3924	perfhost.exe
4352	locator.exe
1576	SensorDataService.exe
748	snmptrap.exe
3816	spectrum.exe
3496	ssh-agent.exe
3396	TieringEngineService.exe
3412	AgentService.exe
4428	vds.exe
2844	vssvc.exe
5184	wbengine.exe
5336	WmiApSrv.exe
5444	SearchIndexer.exe
5868	chrmstp.exe
5924	chrmstp.exe
6072	chrmstp.exe
776	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3d9337378beeeac9.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F3190C87-06A4-407A-A58A-3F71181B4541}\chrome_installer.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002656146ecca6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f82e0d6ecca6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003bd1716fcca6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000077b8166ecca6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
404	chrome.exe
404	chrome.exe
5864	chrome.exe
5864	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
404	chrome.exe
404	chrome.exe
404	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3420	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
Token: SeTakeOwnershipPrivilege	4764	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
Token: SeAuditPrivilege	3588	fxssvc.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeRestorePrivilege	3396	TieringEngineService.exe
Token: SeManageVolumePrivilege	3396	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3412	AgentService.exe
Token: SeBackupPrivilege	2844	vssvc.exe
Token: SeRestorePrivilege	2844	vssvc.exe
Token: SeAuditPrivilege	2844	vssvc.exe
Token: SeBackupPrivilege	5184	wbengine.exe
Token: SeRestorePrivilege	5184	wbengine.exe
Token: SeSecurityPrivilege	5184	wbengine.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: 33	5444	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5444	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5444	SearchIndexer.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe
Token: SeShutdownPrivilege	404	chrome.exe
Token: SeCreatePagefilePrivilege	404	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
404	chrome.exe
404	chrome.exe
404	chrome.exe
6072	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 4764	3420	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe	82
PID 3420 wrote to memory of 4764	3420	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe	82
PID 3420 wrote to memory of 404	3420	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe	84
PID 3420 wrote to memory of 404	3420	2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe	84
PID 404 wrote to memory of 3660	404	chrome.exe	85
PID 404 wrote to memory of 3660	404	chrome.exe	85
PID 404 wrote to memory of 1044	404	chrome.exe	92
PID 404 wrote to memory of 1044	404	chrome.exe	92
PID 404 wrote to memory of 1044	404	chrome.exe	92
PID 404 wrote to memory of 1044	404	chrome.exe	92
PID 404 wrote to memory of 1044	404	chrome.exe	92
PID 404 wrote to memory of 1044	404	chrome.exe	92
PID 404 wrote to memory of 1044	404	chrome.exe	92
PID 404 wrote to memory of 1044	404	chrome.exe	92
PID 404 wrote to memory of 1044	404	chrome.exe	92
PID 404 wrote to memory of 1044	404	chrome.exe	92
PID 404 wrote to memory of 1044	404	chrome.exe	92
PID 404 wrote to memory of 1044	404	chrome.exe	92
PID 404 wrote to memory of 1044	404	chrome.exe	92
PID 404 wrote to memory of 1044	404	chrome.exe	92
PID 404 wrote to memory of 1044	404	chrome.exe	92
PID 404 wrote to memory of 1044	404	chrome.exe	92
PID 404 wrote to memory of 1044	404	chrome.exe	92
PID 404 wrote to memory of 1044	404	chrome.exe	92
PID 404 wrote to memory of 1044	404	chrome.exe	92
PID 404 wrote to memory of 1044	404	chrome.exe	92
PID 404 wrote to memory of 1044	404	chrome.exe	92
PID 404 wrote to memory of 1044	404	chrome.exe	92
PID 404 wrote to memory of 1044	404	chrome.exe	92
PID 404 wrote to memory of 1044	404	chrome.exe	92
PID 404 wrote to memory of 1044	404	chrome.exe	92
PID 404 wrote to memory of 1044	404	chrome.exe	92
PID 404 wrote to memory of 1044	404	chrome.exe	92
PID 404 wrote to memory of 1044	404	chrome.exe	92
PID 404 wrote to memory of 1044	404	chrome.exe	92
PID 404 wrote to memory of 1044	404	chrome.exe	92
PID 404 wrote to memory of 1044	404	chrome.exe	92
PID 404 wrote to memory of 2072	404	chrome.exe	93
PID 404 wrote to memory of 2072	404	chrome.exe	93
PID 404 wrote to memory of 4920	404	chrome.exe	94
PID 404 wrote to memory of 4920	404	chrome.exe	94
PID 404 wrote to memory of 4920	404	chrome.exe	94
PID 404 wrote to memory of 4920	404	chrome.exe	94
PID 404 wrote to memory of 4920	404	chrome.exe	94
PID 404 wrote to memory of 4920	404	chrome.exe	94
PID 404 wrote to memory of 4920	404	chrome.exe	94
PID 404 wrote to memory of 4920	404	chrome.exe	94
PID 404 wrote to memory of 4920	404	chrome.exe	94
PID 404 wrote to memory of 4920	404	chrome.exe	94
PID 404 wrote to memory of 4920	404	chrome.exe	94
PID 404 wrote to memory of 4920	404	chrome.exe	94
PID 404 wrote to memory of 4920	404	chrome.exe	94
PID 404 wrote to memory of 4920	404	chrome.exe	94
PID 404 wrote to memory of 4920	404	chrome.exe	94
PID 404 wrote to memory of 4920	404	chrome.exe	94
PID 404 wrote to memory of 4920	404	chrome.exe	94
PID 404 wrote to memory of 4920	404	chrome.exe	94
PID 404 wrote to memory of 4920	404	chrome.exe	94
PID 404 wrote to memory of 4920	404	chrome.exe	94
PID 404 wrote to memory of 4920	404	chrome.exe	94
PID 404 wrote to memory of 4920	404	chrome.exe	94
PID 404 wrote to memory of 4920	404	chrome.exe	94
PID 404 wrote to memory of 4920	404	chrome.exe	94
PID 404 wrote to memory of 4920	404	chrome.exe	94

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Users\Admin\AppData\Local\Temp\2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-05-15_cfecf5c2290aa061900a3873c6594e32_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:404
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc840eab58,0x7ffc840eab68,0x7ffc840eab78
    3⤵
    PID:3660
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1884,i,12252591401483818052,12572128804436897125,131072 /prefetch:2
    3⤵
    PID:1044
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1884,i,12252591401483818052,12572128804436897125,131072 /prefetch:8
    3⤵
    PID:2072
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1884,i,12252591401483818052,12572128804436897125,131072 /prefetch:8
    3⤵
    PID:4920
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1884,i,12252591401483818052,12572128804436897125,131072 /prefetch:1
    3⤵
    PID:2756
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1884,i,12252591401483818052,12572128804436897125,131072 /prefetch:1
    3⤵
    PID:3716
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4384 --field-trial-handle=1884,i,12252591401483818052,12572128804436897125,131072 /prefetch:1
    3⤵
    PID:3948
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4524 --field-trial-handle=1884,i,12252591401483818052,12572128804436897125,131072 /prefetch:8
    3⤵
    PID:4024
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4556 --field-trial-handle=1884,i,12252591401483818052,12572128804436897125,131072 /prefetch:8
    3⤵
    PID:4420
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4664 --field-trial-handle=1884,i,12252591401483818052,12572128804436897125,131072 /prefetch:8
    3⤵
    PID:5972
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4360 --field-trial-handle=1884,i,12252591401483818052,12572128804436897125,131072 /prefetch:8
    3⤵
    PID:5316
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5868
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x298,0x29c,0x2a0,0x268,0x2a4,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5924
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:6072
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:776
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 --field-trial-handle=1884,i,12252591401483818052,12572128804436897125,131072 /prefetch:8
    3⤵
    PID:5588
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2304 --field-trial-handle=1884,i,12252591401483818052,12572128804436897125,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5864

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:804

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4236

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4376

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3588

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2844

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:452

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1172

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3368

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:468

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4336

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3924

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4352

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1576

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:748

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3816

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4144

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3396

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3412

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4428

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5184

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5336

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5444
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5604
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
2d17a9f2144f87d26ef9012e52163b5d

SHA1
0d7b43df24460be4034dfd437152776958130966

SHA256
63b657fc1bbf57d814b3ea896fa45199e1de82e2e037e4c41ccf59007d8a5e27

SHA512
41040d66dbab9ad32546ebfd9a67221e0e0bdb0852563221dcfeacb46d6bcdf4d70450eb44b9da71b3d666d14ba1c36508f77de539b7a1b93486a2f62b9e1bb4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
06a1d79a7cd59b37fcd48d10889b38a4

SHA1
a44dce7eec0e2a1f9a63b1393694c2165b711578

SHA256
4f487abc3012f582eb5b7fe4b40769efadae2c832a07f3a35d64816eb7f646f0

SHA512
5b671db2b4aa7b908424204010e78fe904bc2192b3da3090c90183e3f76ea42979fe879a0fc89cbefade7aa929fe525543c0c812f44907210671c042b9f0a793

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
f53425d67217598eb85de3a5640ef33f

SHA1
ada2f153f34f00756c327d750a9a1e121c3028a0

SHA256
f1b5166cc92f02508fbcf57d942ae3c3e1952d5084fcf9c13e8b5ee8e3fc2dcc

SHA512
1abbb3194c325910eb4f9d4495f5e78cd39d7dcc36a33333babfdf820b32ca0c8cf2374ddd6d12dde015b6ea52da61166ffd27d8dee704d9950a61333c54f837

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
65874276978a69627ee7ac3be740da6b

SHA1
56f5a80af685b1d6d65cb6436ead679dd6a4ab9f

SHA256
696b2a5455d05382df08cae5c8d06a42eb968af8ed010bec17ae9110b183e2d8

SHA512
f8e5f7cc9ef6241c12a4ef214aa6d076ca1e44306a3dbc7a45b8597ce9ac9c479e800cc2e5fdcbce3f4e4454f287f059791dfb209f8e4cc3303b1a695811f080

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
d38533ce9e9dadb7182ad78b37b8e792

SHA1
8054991f0acae4b3d7a902e481e911d75c7171e7

SHA256
577b8a64cfa7635e8b6c6d968bf74bc4761f32db60d64ad7fe841a4e2dfd316c

SHA512
d967359aa189ea4e9bf119a3b8b674afaedf360a75e89e47cee46deb7f01784a00afc5e21a89f67192c82437b916982390c3ae498a47e8e829fe6c8e4ac4c86e

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\3830f058-57bc-460f-9333-f787a4bc52b4.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
90b8e3c077c7289cf4b7078243e26f76

SHA1
c8e3387c59c20fcff770b846e972a52f7f93591c

SHA256
001c51870a28710313d50d9037f261881517a384d3e502d9112b04ea2e8538a1

SHA512
4461003ce00d03608509d7ab645b933ec95c398623a1d8c6440c8a5b069d32e73aff391a1d3954511dfca7da698c0820970017b66629e3647800e5cc3920f1cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a285c55d53b0b9caabcaa883351ccaa8

SHA1
b553b74dc3aa6afe6812c1dd9f575d557b1bd419

SHA256
796bcfb97b0d797007807844cd3e4209021949f84493d29798a7c8333634ebf7

SHA512
2d1984e7eab5e736a70bfad2a96fe35fba3cdbc8dcccc0236b6ef47b9db78e89f654c6bc3a17b801fc52ba33c208ddd496cbb8304b2830ff105a0453fd75bc25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
9bbfe30e25636ae3ee016d8e6e48c695

SHA1
094f5cf0ff3839fa8c21b4396ca45556f4b8792a

SHA256
2e7387bf0c5a8aedb22abe84f3c41a064e86af0efac9383881e79368f53a4b89

SHA512
86cbd0ef590d53cf3f1f476613ea9374dc18e504b83b680ad37d795f9f3e9e50c6e95fdf054cb6748d12c710346dab01c1003dd1d4cdfbd726b7c3ec0a1ad1db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8528b6d65b57faafe969b930a5be943b

SHA1
5fe4fc769269a90846ba2c68c1851ca9c3492cb6

SHA256
70608a3c1d4102de448f081c857d8c6d4e0894fc37e4624adf75d377664bcfb6

SHA512
4077138d1a667587a10a1964a05602fbb8ec3f537818e55803d9cbdc7080f471763dbd9565a681f5ffff2d5e58c11492627c388241065a93642f84ea049b7f9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe574f87.TMP

Filesize
2KB

MD5
2439032641f0c53dcd64320bfa02af0a

SHA1
a1820031d22a713be8ff0a020783b7bc72860ae1

SHA256
13f018fd7e8d456a16ab52c9430b449ed2f126386dc10abb8d01ff752f92db72

SHA512
d9e02ab626313b138f721b369d987f45e68682f6cf2d76138195cedc75cea2237cf36677173a82672bf54ae9fe480b54f42c76af18e8e4c6cad76da85bc178d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
b90fc86a3cb6ada91dca97355a343864

SHA1
b23306c82f1c854f5530e8a7a7b3483d66982dad

SHA256
8025cc72f2b2890032f3d4e08f2bf24919e4c37a3001e6f027318f0052f6b021

SHA512
60dc3ce4d07d24dedcd80e5664d13039465a6f7aa1f8333fa0099a42e54b82579c1e06be5520fbeb44f5794b0d954f60dc8118d9357f95e7ebb4fb02e1bd96ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
10b11e81d4e84c6473b6aecef08bca71

SHA1
f95cb7abbc6166a11f5da8805b165bbdb0739bff

SHA256
428ee7be0d3eb7feccb736f2b66186fbce3edd3954aa0c6e8827b5846cb06e50

SHA512
f04663e12c91f435125c5a7a8da46915ad1496e485a3e8bc3b2cddd295a29a62c6332f6d0f747f0430829051b7bafa419ff3b9b111cf708e731af4868fdca8d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
d323d3ed033fb7ce24d58681d2be08cd

SHA1
85348803a9055a4cdfc148da750c2c41ecb788d3

SHA256
bbc0296f8618cca93eecb3391d46f4940311ec9e7ca18ac3dffec2e49d111d6f

SHA512
2facf9bd1f3254af690f4a04196083a391ebe35647712a272fae2344c952cf7358e7f491e8027ffa653e7916281e32dd968af30ba887ade50fda07c51c5c9e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
37a2153ff0106e2afb204760acd55e84

SHA1
37ac753fab39d1c7bf1a88671a60289303fdeecf

SHA256
b27e27b628407625bd122a412d43b8c5849777e95a37825caf83e7e13088b598

SHA512
5e14ffd48012257b1b26081be02fde0b2e6b4490594d91a848a96dff7dce87aa3496b4080b16f1a56e07e78673cc4f73e464b34f3f673dddaf7e6195ec8f5a8a

Download Submit
C:\Users\Admin\AppData\Roaming\3d9337378beeeac9.bin

Filesize
12KB

MD5
3493d282d465e6d996fdc6fabbfb65ba

SHA1
009657e6e25e18729f7548fd13954f7545d62a62

SHA256
1629a5f81a65ae4cb2e11174c0f84e98f4b84856ab59da16b2602f24c92eeddd

SHA512
83e323af0872d0b3313aa711e1b3fa3862f8c6b1e83b1cac099f75b0e5af7127f0252f65feb0f6bd60bb8e91b471b592d5e33203e7e93a9e8d7b08f0b0717103

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
5702bd9e13a88358b86b4a98999c250e

SHA1
63a361b2b9d9eca75ed920588e12c600f8090918

SHA256
fd763e1ba799c2be5e45d536761d244167fd7bed42be42f20244be2078fc2b95

SHA512
00532b7a694acc81f27e5d357ce6fa080672937ae6f7ff4b8a603937507ed0fb973688e70dbe3ce6aee6a695711d7b51b4e6ad5f344b07c010843ff521e4944c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c7ec82c1d36b2dc6cbfa989af6d041ad

SHA1
08b3f04fea69247a2bb210d519dbafc0b5f1bfd5

SHA256
53d5c08ca858e9c4ecad95914951808b82470230e4ffae443a808ae468442792

SHA512
73763531858b8733d0f9f2a8819f62bd91ae5ebb29e77d4293226ef304d80267de02014c1f934671764e025875204c8e4bcc83ea87ae5d5f7d9ad8fdc4037de7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
850e16db618bd5d848bcd794aaeddda1

SHA1
1f6c7a8ef07d9a4725db4190934f8334e9105efb

SHA256
3b32355d89950c81e8515bdf50b05c5cc6907b73c72cae889ac1f8124232234d

SHA512
c4106e1fc61c5c1411f4a539e1f987a69d808b326263a720b987c88ef2fe32e27a5819ad1a2fe24e67d34efac0a154792b550c6c19ea6454812db5d754a3a49e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
77d784195f16e485b81f36620547e485

SHA1
e7fb13c3040cb9aa17cd26b0f4b2c3ed12f8f66c

SHA256
cec24cf932378f72e679617e0725274aff0ca1efdce24def336bd7060f6d11ce

SHA512
000a9e85ec6b06fcf2e9a481e9a878b6359eb13f9ba89db524c7d33a186c183363dc355837bb8b4e29ab974a72260d99492ef479af9b4adc63f424da71f72e8a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
a3ef8cedcc42c73c8d69e83043e81f4c

SHA1
48f2a8a3588370ef05c6f68bf75b1ba74a27805a

SHA256
fb55ea02a6e389c1fb182857fb4f8fe12018aabaa94cfb9dd36d33bce9347267

SHA512
f1a04f1b0fecddd7a89bc72f7fbb9606a02feecd49de7aab0eb156bb0c061231e195025025f627c69854fdd90efdb54a76f16137995153ae6a1225d99c1419d3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
bca27f6e64fbd32cb9eb2a49d7641a92

SHA1
9168fd3621e55b807077cc5adc00365e311c2db2

SHA256
9466190e34cea281a494fa25e1118bd66b092d23077793847f3a94de90f94e99

SHA512
c49c62bdfa058403e9448f97fdb11d8932ab0a4d4afcb83df8cf4496fb742ac5b5bb6842ae363b0dc61dc2887f4148fb931fbee5ae23c1cb30d7b94dc81a2bcb

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
1cd4eba7fc22c059b52dca72c96812d4

SHA1
85a23da0aae6ba346e1e225eba1d24b92b6e0ea5

SHA256
0e085125c414cc4c6213a2bf265311cf5e38806dbfd1dd7206e5112a70a8b096

SHA512
fc4882861886d5e419966eac4c34b1c951a5aae5956f2eb65c62b9b3e2b7338d7ae6283ee6d2a9824954e41d346e3c19574d4e3f909a3721482e7b0a813c32dc

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
635c5122055c3816d1821f1d06dc39e5

SHA1
555a644ae44c6eecea100de3b20125aa524391c4

SHA256
313c0666a5393abfb61794bcc0fdcd59fbd6c94002954150e7ee9362b8b7c30b

SHA512
c6d3eeeac9c63b104cd8adb755d8f4a69e44b019c88d6fc4e74b3ca57e22c306b46a50903cf1124d3caa8c1611747a49e6d34df8db722de7e565fb9caf46a0f5

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
713ca5ac5de34b60cb5c2a28c6eefa3e

SHA1
c89b064aef3c343e565c9fb4092068ad7fb7d3ce

SHA256
3ab00be6ed10897690af88beaf44c6ec6b3743dda05b5c8a4473c7793bed0fd7

SHA512
f47cfef97cdb143693102ab771bb3c147339828cff39692498e9ce9cdd434169b4c3423820850ec24354b0bd6986c8f8167ce839e64550ccb465c3e642995b6e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
837382528dc8087afd63cd5b96b8c97b

SHA1
600e6ca4d595ac848c5f0e525502e428c452d4d3

SHA256
5c0c4c97aa2b9c7ed4f0d6d67f7717336ff6e19d3b82dbc1cf5fda4297fcab55

SHA512
eb5f1afb313830ee3a5c5d09f56f7c0ed05c48428b55bf8b0d37660a43f33405679394ebb948aead78f868d2e77bf436b6d967c3ce55c3511dd89e1f8e16b9c2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
26d62103bd9440af71e2315f2a596275

SHA1
e7d2e4f5d000a70879d5982f574107d4d047c3ea

SHA256
ddc2840cc3b43c86655c324a3a045e6bcdaf9a71878844c43dffcb13fe711bf2

SHA512
8911b7ad910a580222e9f55139c2b61b965d8e6112a3e41ba076aba2bdb673166d0abf3f867802eca56823fe5b3d87aec27f33e50e12ce0d7090fb5848c90581

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
102f3bf7bfa7825feeebed910e58c281

SHA1
c78fb7dfe7763d38a26fc4aeba5713513ea8c16d

SHA256
18bbfa7b795306e02c3a62e35e814d8d257d478b0c90cfa91cd041a242effeb6

SHA512
8a89a5ed844674bfebcc88795c0b78eaaa4d3a6f65d3485501d20864a7e2c2aacbf15f714906c1c6bf11459e465066e49156dd1d3e6522729a05b24739e82d00

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
e82b1c72eb8b1778e44f4424a1ad0f92

SHA1
12c97413dffb7e59e364cef13a677065675c20c8

SHA256
411fadb2d99656e4be51bcfbe22a1eb0c245cad8bf21cd9e37f350f9e4d0a2a0

SHA512
1b4810c1ad301212c9167fc343a9595f848b68c30a50aa5ae04ef726a45b3fae480a4361585a2441f5c59882825758125cdc9c27de0a69d6ca1f9c6ff4b01bdb

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
788ea444fdd16f1899d9bd5cceb5ad89

SHA1
1e66f86921f22f11f4fe5c47dff3271d69a7cf22

SHA256
eeee0538eb6fab87ce9ad8664cc373cdaf681bc006b79580d3efca9f42d353a3

SHA512
25bc02e98bf42761ab960e5f87bb078cdce1587b94e73b174a7852ff6c391f46d8d254760e6d51ab724e4716efb6f7078b60c5e385e58a0d9a22fe6aa7ccd025

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
61e57675fbe921935c55b1e16b5b0bd0

SHA1
a4f9163a434200c565c55b9b4a7c538640e26bd0

SHA256
64dc3a996932a292f7ef7be5e900b89b4ea3cd25b7899e8ef50fb5178ce5a5fc

SHA512
fbf8bc4d0b0fe515d1d20a4e19ab5145870e3b90de8c614f14288e2fd2198134c75e28eea4d4a21e60ec5085d82f72c7c78134fb1c0b4d9d2a7d699b5a3d1194

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
d94d841901819e2004ee0baddd1d6ef1

SHA1
0ac6dc64e3f574376639835f688b4b79ad83e993

SHA256
148ad84a603fd9b01136b3f3a4a3ee0e57fac1e913d858d0ec260d8e84d17213

SHA512
5e659e3fad737ebe8067db03201becbb391b6f14ed63446bec4cd94fe142b39d8ec0e845a8db04cf834fb328fd0b40091f677dc6146544115030eb419cc2b723

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
c72f759d6d707124a174494aeaa2af3c

SHA1
a37e9f15b5584ea72449b5801d0c394a78916bcb

SHA256
ec6d7c470645566c5c293b1b8fee5808b45e0286f6b44947ed53379232e1d3d9

SHA512
7fcccab3dc375280be0d77325d8e2f315d2db29945d121efc191379af99505b7c345186b773a79b22991cda7862ad8c360b500e422caf1bfb0176f7a9532c761

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
43fde4bf7b4a1539c97094985ef6fb6c

SHA1
fb8f3ff5a773eb9feff0533d1d80c6967565e35e

SHA256
7b59431d01d2f1d03101acf178a0802a3313151df6611a054576c7384f3d3898

SHA512
3e15f4901f9670fc36cecfd7f5a587c1f79589f6a21192fb0bbaba08854085601de3cc49c7aaef59e477022113b74d95983bc3abf60b64e304d601640cd1beb0

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
0a8c17e97526f751a8aa475e8c8b7983

SHA1
2cb070d16a547e867aca22af457f13c44c17d0e2

SHA256
81519c37e7b764606c063607c2fdc287f28845aed7cce899222c4f714f16f860

SHA512
40a71708d63ea949f7132ef01340b3202eb349119623aa849b0e103e4b7ddbea543ba7ebe98b255eb58e26ac050c09a1dde89327f31deaa77f483dcf16136593

Download Submit
memory/452-81-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/452-225-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/452-85-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/452-91-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/468-145-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/468-267-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/748-210-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/748-512-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/776-705-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/776-564-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/804-31-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/804-30-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/804-22-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/804-184-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1172-101-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1172-108-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1172-95-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/1576-690-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1576-190-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1576-341-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2844-296-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2844-77-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2844-76-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2844-163-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2844-691-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2844-69-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3368-130-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3368-250-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3396-239-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3396-555-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3412-263-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3412-251-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3420-39-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3420-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3420-0-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/3420-35-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/3420-6-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/3496-226-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3496-533-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3588-58-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3588-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3588-64-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3588-84-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3588-82-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3816-213-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3816-526-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3924-166-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3924-299-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4236-53-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4236-45-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4236-54-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4336-157-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4336-287-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4352-185-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4352-320-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4428-268-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4428-682-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4764-17-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4764-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4764-143-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4764-11-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/5184-701-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5184-308-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5336-702-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5336-329-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5444-342-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5444-703-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5868-513-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5868-588-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5924-529-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5924-704-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6072-549-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6072-577-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download