a16c9f61f907ebe646de58e0084cd519501ce3c136ca2179a5cb8ec89b7f75af

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
Size

5.5MB
MD5

397456687334e3d6a44c30fd5483aa4c
SHA1

84209062c1c38d3caf5ff6b364807de1d7dd8614
SHA256

a16c9f61f907ebe646de58e0084cd519501ce3c136ca2179a5cb8ec89b7f75af
SHA512

1ad72c0d63200b870acd8094a09d3efab3f6786c0c70dd874431a54455c2c949b6bd3afa0e74cf7c2d36a01bd31351d5089dffe6ed6e697d41bd8a6216030d60
SSDEEP

49152:4EFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfq:WAI5pAdVJn9tbnR1VgBVmwnlS

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
4964	alg.exe
808	DiagnosticsHub.StandardCollector.Service.exe
2848	fxssvc.exe
3000	elevation_service.exe
1524	elevation_service.exe
2376	maintenanceservice.exe
4288	msdtc.exe
1508	OSE.EXE
4744	PerceptionSimulationService.exe
5024	perfhost.exe
1088	locator.exe
1016	SensorDataService.exe
3108	snmptrap.exe
1264	spectrum.exe
4220	ssh-agent.exe
4084	TieringEngineService.exe
4892	AgentService.exe
4852	vds.exe
1760	vssvc.exe
5292	wbengine.exe
5480	WmiApSrv.exe
5604	SearchIndexer.exe
2028	chrmstp.exe
5328	chrmstp.exe
4396	chrmstp.exe
5708	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9ba25078beeeac9.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\java.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F3190C87-06A4-407A-A58A-3F71181B4541}\chrome_installer.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006358df99faa6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040bf8499faa6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000951ec599faa6da01	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133602734149889632"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d92d169afaa6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000079ac7199faa6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000afbf6599faa6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007b725799faa6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1520	chrome.exe
1520	chrome.exe
6864	chrome.exe
6864	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1684	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
Token: SeTakeOwnershipPrivilege	1456	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
Token: SeAuditPrivilege	2848	fxssvc.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeRestorePrivilege	4084	TieringEngineService.exe
Token: SeManageVolumePrivilege	4084	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4892	AgentService.exe
Token: SeBackupPrivilege	1760	vssvc.exe
Token: SeRestorePrivilege	1760	vssvc.exe
Token: SeAuditPrivilege	1760	vssvc.exe
Token: SeBackupPrivilege	5292	wbengine.exe
Token: SeRestorePrivilege	5292	wbengine.exe
Token: SeSecurityPrivilege	5292	wbengine.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: 33	5604	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5604	SearchIndexer.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
4396	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 1456	1684	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe	84
PID 1684 wrote to memory of 1456	1684	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe	84
PID 1684 wrote to memory of 1520	1684	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe	86
PID 1684 wrote to memory of 1520	1684	2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe	86
PID 1520 wrote to memory of 3796	1520	chrome.exe	87
PID 1520 wrote to memory of 3796	1520	chrome.exe	87
PID 1520 wrote to memory of 4680	1520	chrome.exe	98
PID 1520 wrote to memory of 4680	1520	chrome.exe	98
PID 1520 wrote to memory of 4680	1520	chrome.exe	98
PID 1520 wrote to memory of 4680	1520	chrome.exe	98
PID 1520 wrote to memory of 4680	1520	chrome.exe	98
PID 1520 wrote to memory of 4680	1520	chrome.exe	98
PID 1520 wrote to memory of 4680	1520	chrome.exe	98
PID 1520 wrote to memory of 4680	1520	chrome.exe	98
PID 1520 wrote to memory of 4680	1520	chrome.exe	98
PID 1520 wrote to memory of 4680	1520	chrome.exe	98
PID 1520 wrote to memory of 4680	1520	chrome.exe	98
PID 1520 wrote to memory of 4680	1520	chrome.exe	98
PID 1520 wrote to memory of 4680	1520	chrome.exe	98
PID 1520 wrote to memory of 4680	1520	chrome.exe	98
PID 1520 wrote to memory of 4680	1520	chrome.exe	98
PID 1520 wrote to memory of 4680	1520	chrome.exe	98
PID 1520 wrote to memory of 4680	1520	chrome.exe	98
PID 1520 wrote to memory of 4680	1520	chrome.exe	98
PID 1520 wrote to memory of 4680	1520	chrome.exe	98
PID 1520 wrote to memory of 4680	1520	chrome.exe	98
PID 1520 wrote to memory of 4680	1520	chrome.exe	98
PID 1520 wrote to memory of 4680	1520	chrome.exe	98
PID 1520 wrote to memory of 4680	1520	chrome.exe	98
PID 1520 wrote to memory of 4680	1520	chrome.exe	98
PID 1520 wrote to memory of 4680	1520	chrome.exe	98
PID 1520 wrote to memory of 4680	1520	chrome.exe	98
PID 1520 wrote to memory of 4680	1520	chrome.exe	98
PID 1520 wrote to memory of 4680	1520	chrome.exe	98
PID 1520 wrote to memory of 4680	1520	chrome.exe	98
PID 1520 wrote to memory of 4680	1520	chrome.exe	98
PID 1520 wrote to memory of 4680	1520	chrome.exe	98
PID 1520 wrote to memory of 3380	1520	chrome.exe	99
PID 1520 wrote to memory of 3380	1520	chrome.exe	99
PID 1520 wrote to memory of 1380	1520	chrome.exe	100
PID 1520 wrote to memory of 1380	1520	chrome.exe	100
PID 1520 wrote to memory of 1380	1520	chrome.exe	100
PID 1520 wrote to memory of 1380	1520	chrome.exe	100
PID 1520 wrote to memory of 1380	1520	chrome.exe	100
PID 1520 wrote to memory of 1380	1520	chrome.exe	100
PID 1520 wrote to memory of 1380	1520	chrome.exe	100
PID 1520 wrote to memory of 1380	1520	chrome.exe	100
PID 1520 wrote to memory of 1380	1520	chrome.exe	100
PID 1520 wrote to memory of 1380	1520	chrome.exe	100
PID 1520 wrote to memory of 1380	1520	chrome.exe	100
PID 1520 wrote to memory of 1380	1520	chrome.exe	100
PID 1520 wrote to memory of 1380	1520	chrome.exe	100
PID 1520 wrote to memory of 1380	1520	chrome.exe	100
PID 1520 wrote to memory of 1380	1520	chrome.exe	100
PID 1520 wrote to memory of 1380	1520	chrome.exe	100
PID 1520 wrote to memory of 1380	1520	chrome.exe	100
PID 1520 wrote to memory of 1380	1520	chrome.exe	100
PID 1520 wrote to memory of 1380	1520	chrome.exe	100
PID 1520 wrote to memory of 1380	1520	chrome.exe	100
PID 1520 wrote to memory of 1380	1520	chrome.exe	100
PID 1520 wrote to memory of 1380	1520	chrome.exe	100
PID 1520 wrote to memory of 1380	1520	chrome.exe	100
PID 1520 wrote to memory of 1380	1520	chrome.exe	100
PID 1520 wrote to memory of 1380	1520	chrome.exe	100

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\AppData\Local\Temp\2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-05-15_397456687334e3d6a44c30fd5483aa4c_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa1e7eab58,0x7ffa1e7eab68,0x7ffa1e7eab78
    3⤵
    PID:3796
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1872,i,3106925945944278570,16536304324038804723,131072 /prefetch:2
    3⤵
    PID:4680
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1872,i,3106925945944278570,16536304324038804723,131072 /prefetch:8
    3⤵
    PID:3380
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2156 --field-trial-handle=1872,i,3106925945944278570,16536304324038804723,131072 /prefetch:8
    3⤵
    PID:1380
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1872,i,3106925945944278570,16536304324038804723,131072 /prefetch:1
    3⤵
    PID:4412
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3096 --field-trial-handle=1872,i,3106925945944278570,16536304324038804723,131072 /prefetch:1
    3⤵
    PID:4404
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3936 --field-trial-handle=1872,i,3106925945944278570,16536304324038804723,131072 /prefetch:1
    3⤵
    PID:5188
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4488 --field-trial-handle=1872,i,3106925945944278570,16536304324038804723,131072 /prefetch:8
    3⤵
    PID:5396
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4636 --field-trial-handle=1872,i,3106925945944278570,16536304324038804723,131072 /prefetch:8
    3⤵
    PID:5404
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4816 --field-trial-handle=1872,i,3106925945944278570,16536304324038804723,131072 /prefetch:8
    3⤵
    PID:5804
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4596 --field-trial-handle=1872,i,3106925945944278570,16536304324038804723,131072 /prefetch:8
    3⤵
    PID:5996
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:2028
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5328
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:4396
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5708
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4136 --field-trial-handle=1872,i,3106925945944278570,16536304324038804723,131072 /prefetch:8
    3⤵
    PID:5936
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1012 --field-trial-handle=1872,i,3106925945944278570,16536304324038804723,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6864

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4964

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4312

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3000

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1524

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2376

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4288

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1508

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4744

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5024

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1088

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1016

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3108

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1264

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4648

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4852

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5292

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5480

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5604
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5896
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ae6bfae36720b4b78af23bf1a5e73bbb

SHA1
58861862f946a8da564f1718259b825260dff696

SHA256
08273834f7c377cc6545c21ee38acc18aacf4e140050111158c700ece6ebf9ca

SHA512
b10892bdfc39496b24f886291757d84668336daefdc489e77f7990b92259a1b64f550be76dbf36f5aea385ba569d65a4d33ee77e8b92b091bc6321658e77a9d6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
72e9b6e437db680c3c2eb7d93236f1ad

SHA1
c5bb9865246c637cb3377a2c265dc3317d015015

SHA256
0d3e4beb3e64470bfb68c72aec3a95f6992d864ee026bcfdb4977902289fa710

SHA512
e7e897d9baedfc0cf227a9e4d6cfc0b094d7cd7d0a0c8878e89eda15211db34e35926e87e0ec90933eb5b00f73fc0051de84bda14bd5a5190c73ea379a3673da

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
a9723366e068fc70914bb71540a12d95

SHA1
f6e3df00d07ba7c7484f1ef19530d69d2af0b0fb

SHA256
7f33b9b5b032e84645049c9b7d50aa6f2a327ad31519c5e3b02b84cf8b3daa20

SHA512
f426821bce57219bb0bd538a3bb8da2e0a0e39a87db19063323cfef00cd5eac4b3a3ca6642b2eda287c729dc30002d2605e729d83eeb4f2d162fb736ee73f4ac

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
bad217192974b2545a1cb0e55f666a58

SHA1
6755229fda3c416495b34a4b318484ead79abc9e

SHA256
20ab72a97ee8f8d6a47ee670a7f2611dc08236d0571e48c14c65d7dd016b750c

SHA512
61886ca5b375479130f01e4bb3f86199e2f43a12dc13822612b59ac8128d29baaa8983940756fc7e930785fbff43aad31c734407c4aa547bac9a3db30d8bb16d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
39d26db8bf4b6eb187ec42dd8736507b

SHA1
0950dd7ccd797651a4e448e6f654fa63bd09ecf5

SHA256
4885e9b70d78384174455fb831f77b72f7e02a2b580a9d433a8b99f35ffc58c4

SHA512
2f99413e336a5a8eeb29be0c5f9efa9adba24e1fef17aec5fe989fbea028e9b52b0d158348d156812334269249a18689d2126ca490decfb7565bf81a27ca0051

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\1322e326-ff7e-4b30-8601-48692e1ff235.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
90b8e3c077c7289cf4b7078243e26f76

SHA1
c8e3387c59c20fcff770b846e972a52f7f93591c

SHA256
001c51870a28710313d50d9037f261881517a384d3e502d9112b04ea2e8538a1

SHA512
4461003ce00d03608509d7ab645b933ec95c398623a1d8c6440c8a5b069d32e73aff391a1d3954511dfca7da698c0820970017b66629e3647800e5cc3920f1cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
5faba265cc78199fde630f59ae5a40fb

SHA1
5c882e4dd8ce6b6624db8ed2fb40531f555c03b0

SHA256
660902b2cd7c1292f97b131d7505da2222f600e231ea66395340080edb5afde2

SHA512
c7d44cfb0c1610641cf09056b3045a7fc1ac3a8c2c636ea1b68e844866d24b6b48fdda1b0e1db84b30f26a7e8944b630b53ec59fa4c74b6f60de2ecfb41a82cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
2ac7cd024915ca767cf6818d12191a07

SHA1
3424674556fd76876dd2b4001b8fe7d2e2329616

SHA256
4ecd99abcbc6b5c4756eb2cb1bb8f6596d7331e2a889a06ed6f02fc088c8f06d

SHA512
773bf6812912ccddafd704bbeee8cda78b40fd3642b2bdb53d22237dd1f8216a58d877094fc7b577f8e8e8f6460d2ab499623f919b3f1ce05f4b08b156105546

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a3252aa4616f8aac007cafcc02f17b41

SHA1
04e4781aea527bb6935a50feab30d857ef60d34d

SHA256
67399985b1a31486cdd3d0d7671d438a0f558ea582e76db57d6ef8245ec99ec1

SHA512
7934a3fa4442b98616b8d5f8802a7ce6117b79e1168e8fb0f5f688fd029fc34ac4ced0c983a61f5648ff7e0e26c0297c2c255edb96b62d52f85c3f370f9b3db9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe575e6c.TMP

Filesize
2KB

MD5
2439032641f0c53dcd64320bfa02af0a

SHA1
a1820031d22a713be8ff0a020783b7bc72860ae1

SHA256
13f018fd7e8d456a16ab52c9430b449ed2f126386dc10abb8d01ff752f92db72

SHA512
d9e02ab626313b138f721b369d987f45e68682f6cf2d76138195cedc75cea2237cf36677173a82672bf54ae9fe480b54f42c76af18e8e4c6cad76da85bc178d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
9e681b1d5c492ab281830cb8d848dccc

SHA1
6a12d674b5dc0c01275d6d5b124da09e70e4b177

SHA256
4cc2f97c17765133559b9eb22c13e316083df6c50b25bbb5d4cb29726191f2a3

SHA512
2f461466065e6d9ad508d4b5034af53afbb6bdb6f94d2c56f594eb544896c490d9e4e773cda8f9195fbe12a5d142db6fd730735193143191562c1af0e401dcdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
258KB

MD5
640715d20e2be51cfe1a9ab2cc56e280

SHA1
fffd888d200d8454fb12042d6b19ce9bd07b60e6

SHA256
3a7879fe4a5c64cac025ad6a4926fb221a8c5e16b8e8ee0bf449ad7f426620e6

SHA512
dfd7627f33a6ec9a0a473557c5fddd21b3d110f26ee3453d46de0813bb0fd392be4171720e12b282052f5dd4d72334bfb167d1ad567cf2c643d593c00b8cc40d

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
deb8a4644626e1569fa7d9281ba6a7c7

SHA1
d3557e3183c91f88769fde5aa2cb6ee518cf95ad

SHA256
abe33d72057df44aa4039fa0174e2d98a7ca02d3d810f9d9f3d700765c0ae0ce

SHA512
c2ca4e3592275f05d969e6c52d990898a73d25d57263118bc6fb054b9e4c5546ec03e1c8a97d56d60531ce02e469d47d61462b21320ae73bd1868d096ec47057

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
1f5e7620e6ecd0aec1969da56b0d2a92

SHA1
feee8c011e5bfaf5e697e4528625e3310e878702

SHA256
9a0b094474fd8a6faad2cf1b57a9e8341c95c4cb1f989bd77c056c706ff67290

SHA512
fa30644bb1b24dabe34edb7d100e914e9be83177371ecfc2ecdb3de3f7d6025b71005136a145916e90f7a6320232cfda519bc28456f0bff9c1ca58e74bba2500

Download Submit
C:\Users\Admin\AppData\Roaming\9ba25078beeeac9.bin

Filesize
12KB

MD5
5a777ca96aba1a306c8eb658f16b3134

SHA1
6f15af223a341fc73555fe977a15ac21fdf9f644

SHA256
44376e52bc3c2ec915c058e49eba675afc2738b30e8df37ed44de5d7e9eec31b

SHA512
2e540eb703fe5d48a71d9e21c3fcd30ce0483d3aa1b1e5d2df05532e09df763d9521c2dec9cddc98cd6de60b134b170c1f521095d64f5ef3ad9e75d5f7b4601e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
9e30ddf6376c6eca0d47f32a5a29e7d9

SHA1
3e88c9a97040796ca4bdd808383cb1075e5f0a88

SHA256
090db50256165c2b1c34e3d3f20179cc101d09941e1072526b31e0e5523988a9

SHA512
b0676f062b92afe0237314b20c98c049ab83db34b1ed80fcaa4e1b7763c144c4ab41928e77794a004b403d72254c3388b1ab68a8e0dfffba7c8047d9ddd3f142

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
048e4d328a2d5d946468f4c5f45671ff

SHA1
4bee18baa5c7c393dab810a12fc9de2c3b0ed8a4

SHA256
f6a34c8819adc581a0d340c2e16c8f317d6b329c1ad44e86cba4b4bea97d6fcb

SHA512
306c85429a4061bd06cba04dab17c268c913ba43c492420ac4a763f097624c31e32d8109d146d5532c8fadd4a6e29264c674538634d2771e2e541ec602d97d38

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.6MB

MD5
0991478283a3e2ef33479bbff12e1a34

SHA1
10a7372d2820c6fa97a80f1936dc0edd5e9a61f8

SHA256
d8d242b230b3e8571b7059537a906b5830353fdf320ba315d6b521eeea2900e0

SHA512
10f8ffafab96c6706e6f43d1d6d16922f78b44d61dcb1bcea89fb081783bf06fa2dc9e156657bae399cb679b949870515b6312ea0cacad8aa6a1678922ff5e8e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ac518db6144165c04077ffcb8a7544a0

SHA1
531aecbcc9593321534b1fe60ee112dcc38229ae

SHA256
cc17eaefff0ffa5c6c0e3e9c0bdb39f35fca018fb2d48fe94ab6823060b2ab1c

SHA512
3656a617796b1e0e466e9f8a2ae4e5c62063de6499a7cd907ab021fe9a53d7b3932028c950f924f72fab71020edc40de075c62cf02c8fc28172f5c727cd9f746

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
699eabd7c316f88acd9342e20c84e804

SHA1
f8a6a4bcace74ed1c1e05e60717f1ed3e932acf1

SHA256
95e9c3ec432be25a1d1ae9067cdb35ad935eee7a665e21678bde8710f8a2f404

SHA512
3438666650a5222f623bd82de5af3c3d77e3b0e728416cde0e6a1f2954ae739c303165d2c755bbb0fd1fe0ca61cd0d247e61da777dcba013fcaf8f7d81516341

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.9MB

MD5
70353a882e4054060f604c63abf2c4cd

SHA1
d3b6015173318681801e0c556751c5d87a3e4c84

SHA256
2b1d1a57e513e533d2f49025ccf209dcf5b969a7f4ac32e49dff70ddea58e1cb

SHA512
8aea70a62ccaa97eab9ab9ecedbdf4b8f9a190e7700bae2116da367720f361de6cc8846312daa2e35a3a64c6c4568e674a3aa8e903db32ff090ddbde8f078a6a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
6392f7b0c201ec86bf373e43f8c7d4ba

SHA1
561f8bf1c0b312143ed26ac8a0edf0d9e8b0102b

SHA256
eeb28b9ce0c80ed611119fbe75d1b4e1d4064285c79cdae3eeaa66aff86d5e96

SHA512
1d90f61e3d9d3c6ca32816cbf4e4e858ac80c0915e7335b0e677385720431a49a060699e363358b0b8faab9daac3b5866db0b8a43b754b43464041a24ee30eb4

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8c3e0a77b5226a58d36f3abcfca77c19

SHA1
cb826e2080032c9f3ed254a96975a63d775e3526

SHA256
294f6528458418a89b33c6cd1b29cf307372c008f9fada3d8feb1458cf948034

SHA512
4cf183ad4841ccfbd378479642de559ae1afaa6585b2f8b1260607defb408b05b1f555125406e8b645a43c1b37849c52b32bac8e7e059548b5bdc72cdfe076f9

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
0b16a2240381e94f8dbc1ce1fa48ee20

SHA1
76876c3a9c5f0149e131fd92755d6b4c7672d97b

SHA256
02d91212a25c00d7322514fad4dadef8628054ed99a95266e5b58d376fe822e4

SHA512
2a652e997e2a84fd4b4c520513e2786de0ba977ce13fc1e91ba51ce21c0ad2a27caa5e89812b08698c997bc0730b015358cab3418411aa6e99d2f9956a22bde4

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
40937535d5f28831eccee0a084fce493

SHA1
40f61b2b1901a60765d2d08fd6d4fd4db78666dc

SHA256
188f67913a42f02d0ae9fe7a0fa637d125245ec309982d9e8de459a65e05ac71

SHA512
f41eee1700a9da2d5243ef9be314a568136282270e6bb47936efea519e50ea4e4436c249244a933c7eab9f78e9ed23d79052fc4578e5e212215ed2876e44e178

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
c4dcb4d82fbfe20689a1c361842b90b3

SHA1
8d688cccd62d9a71f32721829e877a461591e3ca

SHA256
a600c13f83caf45688f2040ffe64ccc959393ebbe3c0eb5376a755ac9ca36c04

SHA512
a4ce7d065ad1e7ce28b85bddd763f833e046340e1861496bfe24bed8620a5ff5887e8a759ee96b60a6b313d702dff61ad854ccea51229a4ebd8ba13f95f146aa

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e4dcc0958d033246c70f163a5d51ecc4

SHA1
4913adab9010e2f466b95a6718a24b1c21feb247

SHA256
dc10290dbfe4839a2d4e8d993447598187aacdf5fde3638eb6fc5a7c26bbac2e

SHA512
26a7720c952c9a635194f40da678fc07057539b656ab3d67d82a984a332b2fac27c44663f0008c2b3b6689e36144f6437bc3a7899c18f01d3157873fbfd170da

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.6MB

MD5
889c5ee1867e215d43a3e29e330182a2

SHA1
ec800e368ab20c39f5c899392f0a61775bd623bd

SHA256
05941411447ba521a544c013535c01c9d7f7496d31aa8c3cbebe6d4e5d8d9204

SHA512
9b90b0aa3cad0c22781960d54b9ecfacb11f5cc3e590c58b0042bd637646f8e2df339b2a41068b47272f4ac4cad9835334cbcec132c5c0cff1e5e45e755086f6

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
da70a85926a5a781df77601a36f5ec58

SHA1
5bce2c58fefd57a1236532d3d838e150897091cd

SHA256
74dc25ac6083988d07d962d872c76718aa9dfe2b33448ae9fe0722b3baaff1b0

SHA512
7ab915fbbb8e142ac1e2e24ea262e716eff9287be8126f87fb6fdab0458a4836c19999177175e67e988037107cb674b5a55c16712ff1dc97cec8271dabaa78c1

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
e7d8f7daec8b4e002bd2b73f26c6afce

SHA1
134cef34e95e0c79f2932187b952673d893f7e37

SHA256
ada3e99c6c24785b200ba7718ef9882d1432d104616c178135ea46210991c704

SHA512
ac0128bb7cdc7d5302f78206f56abb44f2b83e4058e70f3c215363396171a0c9db0ea540e0be1a4a667fe53455d9af70b9bc63d9cf88ee259dbe028e2bc1f7b1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ce3ec8f0fb051028fc00f174e93f4363

SHA1
b72474d1239ca1d23ec1095a36e1c2aeb709b8d1

SHA256
14d21a5f84de679dd74f25d009c6fe550a9732dce8f8685868a018973941e030

SHA512
98d533461a8d15a1583599f16f6b3072490a9f843800fb182579a5c3c0d8af5bdde36cab90e18ef1652aba65840c756970216299052d726eb1ba67145cb5fe1f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
6a133f53fd86aa4e4e8c25146e56b74f

SHA1
b18e0b22e7784a10769db228405335d587de1b76

SHA256
5126ca6d15bbbc89eb180782644b185e377f37281ea2d11e1c334322a43ea3b5

SHA512
8f0cc2fe9b7eed6ee6fa917daa73e87a304ac1a47ee8aebd38dac1b19cc15a144414b77d63fc198a20f1ae77fb7d390d9cf1dfb71c70097d28dd3a427197796b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
196e58d59806ca2ff16fa7ee9add0adf

SHA1
d28f75ba822adf5392e3e788d92d9f06e9eaa3f3

SHA256
9d94ac1fc8a164bfbc61646a95fc97b2a77829f498418460b13f3e066efa37de

SHA512
c3f2e6e0a00b9886d8536a52acfa8be4634f939f48d57db720d966c2f21913ce99801f499bebc9e7ae15c8a4763dde356a2f51c10368e36b1480264aaf29cbad

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
0a8c17e97526f751a8aa475e8c8b7983

SHA1
2cb070d16a547e867aca22af457f13c44c17d0e2

SHA256
81519c37e7b764606c063607c2fdc287f28845aed7cce899222c4f714f16f860

SHA512
40a71708d63ea949f7132ef01340b3202eb349119623aa849b0e103e4b7ddbea543ba7ebe98b255eb58e26ac050c09a1dde89327f31deaa77f483dcf16136593

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
616a6e377681d69c18d602853af4e80d

SHA1
323a34c2897a755e641efa64e422866978512042

SHA256
790449fb0bc34fadc62a5f89c30de19627e8be7340e6e62b23cf4ee45438e310

SHA512
6650efffb16e6b2c4c9f2ef7e773943cc0a55be8f22dda53a05368f4007736ed92ec128392afbc63376e2249bd417d4e90e92389d882df10387c56c7c15f9e4e

Download Submit
memory/808-48-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/808-54-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/808-56-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/1016-630-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1016-611-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1016-195-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1088-180-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/1088-551-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/1264-274-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1456-17-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1456-20-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1456-11-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1456-163-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1508-518-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1508-129-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1524-517-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1524-128-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1524-81-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1524-87-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1684-41-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/1684-6-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/1684-40-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1684-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1684-0-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/1760-278-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1760-733-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2028-600-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2028-529-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2376-105-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2376-94-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2848-90-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2848-92-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2848-59-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2848-68-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2848-65-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3000-78-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3000-70-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3000-199-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3000-76-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3108-210-0x0000000140000000-0x0000000140187000-memory.dmp

Filesize
1.5MB

Download
memory/4084-276-0x0000000140000000-0x00000001401D3000-memory.dmp

Filesize
1.8MB

Download
memory/4220-275-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/4288-127-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/4396-550-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4396-589-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4744-530-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/4744-144-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/4852-277-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4852-732-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4892-254-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4964-33-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/4964-193-0x0000000140000000-0x000000014019B000-memory.dmp

Filesize
1.6MB

Download
memory/4964-22-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/4964-32-0x0000000140000000-0x000000014019B000-memory.dmp

Filesize
1.6MB

Download
memory/5024-165-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/5292-292-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5292-743-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5328-534-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5328-746-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5480-303-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/5480-744-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/5604-322-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5604-745-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5708-747-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5708-552-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download