8f0e05b885c09e540459311e40f7193681113cd890c1af01ed03d2db1eb623e3

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 09:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
Size

5.5MB
MD5

a611aab192b58f9118af526e74c560a7
SHA1

26b337c54b51e9f19c932fff3058cd9fac9765a0
SHA256

8f0e05b885c09e540459311e40f7193681113cd890c1af01ed03d2db1eb623e3
SHA512

5bf0190502ceced3293a9803cd32e4fa33d48cb279a2bc6483ee25d58542005152e3d2513fad69ab47cd38d299be7d789542a67973a6a8aa3ccd5d6cce6e8463
SSDEEP

49152:oEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1bn9tJEUxDG0BYYrLA50IHLGf3:mAI5pAdV9n9tbnR1VgBVm8C17DVqFJU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
4016	alg.exe
3668	DiagnosticsHub.StandardCollector.Service.exe
4552	fxssvc.exe
3368	elevation_service.exe
4948	elevation_service.exe
3916	maintenanceservice.exe
3784	msdtc.exe
1120	OSE.EXE
404	PerceptionSimulationService.exe
1624	perfhost.exe
4876	locator.exe
2872	SensorDataService.exe
4608	snmptrap.exe
4808	spectrum.exe
464	ssh-agent.exe
1172	TieringEngineService.exe
2756	AgentService.exe
4328	vds.exe
1496	vssvc.exe
680	wbengine.exe
2232	WmiApSrv.exe
3628	SearchIndexer.exe
5780	chrmstp.exe
5864	chrmstp.exe
5984	chrmstp.exe
6060	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b7c9b12bd590e271.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F4DF7669-184D-4D67-991D-8B1550DDF396}\chrome_installer.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\java.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d6672ba665abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133607591998365109"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000086d192a565abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007c58daa565abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002fee72a665abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef30d3a565abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d43395a565abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4596	chrome.exe
4596	chrome.exe
1704	chrome.exe
1704	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1864	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
Token: SeTakeOwnershipPrivilege	1440	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
Token: SeAuditPrivilege	4552	fxssvc.exe
Token: SeRestorePrivilege	1172	TieringEngineService.exe
Token: SeManageVolumePrivilege	1172	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2756	AgentService.exe
Token: SeBackupPrivilege	1496	vssvc.exe
Token: SeRestorePrivilege	1496	vssvc.exe
Token: SeAuditPrivilege	1496	vssvc.exe
Token: SeBackupPrivilege	680	wbengine.exe
Token: SeRestorePrivilege	680	wbengine.exe
Token: SeSecurityPrivilege	680	wbengine.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: 33	3628	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3628	SearchIndexer.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
5984	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 1440	1864	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe	83
PID 1864 wrote to memory of 1440	1864	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe	83
PID 1864 wrote to memory of 4596	1864	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe	84
PID 1864 wrote to memory of 4596	1864	2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe	84
PID 4596 wrote to memory of 3944	4596	chrome.exe	85
PID 4596 wrote to memory of 3944	4596	chrome.exe	85
PID 4596 wrote to memory of 1044	4596	chrome.exe	108
PID 4596 wrote to memory of 1044	4596	chrome.exe	108
PID 4596 wrote to memory of 1044	4596	chrome.exe	108
PID 4596 wrote to memory of 1044	4596	chrome.exe	108
PID 4596 wrote to memory of 1044	4596	chrome.exe	108
PID 4596 wrote to memory of 1044	4596	chrome.exe	108
PID 4596 wrote to memory of 1044	4596	chrome.exe	108
PID 4596 wrote to memory of 1044	4596	chrome.exe	108
PID 4596 wrote to memory of 1044	4596	chrome.exe	108
PID 4596 wrote to memory of 1044	4596	chrome.exe	108
PID 4596 wrote to memory of 1044	4596	chrome.exe	108
PID 4596 wrote to memory of 1044	4596	chrome.exe	108
PID 4596 wrote to memory of 1044	4596	chrome.exe	108
PID 4596 wrote to memory of 1044	4596	chrome.exe	108
PID 4596 wrote to memory of 1044	4596	chrome.exe	108
PID 4596 wrote to memory of 1044	4596	chrome.exe	108
PID 4596 wrote to memory of 1044	4596	chrome.exe	108
PID 4596 wrote to memory of 1044	4596	chrome.exe	108
PID 4596 wrote to memory of 1044	4596	chrome.exe	108
PID 4596 wrote to memory of 1044	4596	chrome.exe	108
PID 4596 wrote to memory of 1044	4596	chrome.exe	108
PID 4596 wrote to memory of 1044	4596	chrome.exe	108
PID 4596 wrote to memory of 1044	4596	chrome.exe	108
PID 4596 wrote to memory of 1044	4596	chrome.exe	108
PID 4596 wrote to memory of 1044	4596	chrome.exe	108
PID 4596 wrote to memory of 1044	4596	chrome.exe	108
PID 4596 wrote to memory of 1044	4596	chrome.exe	108
PID 4596 wrote to memory of 1044	4596	chrome.exe	108
PID 4596 wrote to memory of 1044	4596	chrome.exe	108
PID 4596 wrote to memory of 1044	4596	chrome.exe	108
PID 4596 wrote to memory of 1044	4596	chrome.exe	108
PID 4596 wrote to memory of 1484	4596	chrome.exe	109
PID 4596 wrote to memory of 1484	4596	chrome.exe	109
PID 4596 wrote to memory of 3988	4596	chrome.exe	110
PID 4596 wrote to memory of 3988	4596	chrome.exe	110
PID 4596 wrote to memory of 3988	4596	chrome.exe	110
PID 4596 wrote to memory of 3988	4596	chrome.exe	110
PID 4596 wrote to memory of 3988	4596	chrome.exe	110
PID 4596 wrote to memory of 3988	4596	chrome.exe	110
PID 4596 wrote to memory of 3988	4596	chrome.exe	110
PID 4596 wrote to memory of 3988	4596	chrome.exe	110
PID 4596 wrote to memory of 3988	4596	chrome.exe	110
PID 4596 wrote to memory of 3988	4596	chrome.exe	110
PID 4596 wrote to memory of 3988	4596	chrome.exe	110
PID 4596 wrote to memory of 3988	4596	chrome.exe	110
PID 4596 wrote to memory of 3988	4596	chrome.exe	110
PID 4596 wrote to memory of 3988	4596	chrome.exe	110
PID 4596 wrote to memory of 3988	4596	chrome.exe	110
PID 4596 wrote to memory of 3988	4596	chrome.exe	110
PID 4596 wrote to memory of 3988	4596	chrome.exe	110
PID 4596 wrote to memory of 3988	4596	chrome.exe	110
PID 4596 wrote to memory of 3988	4596	chrome.exe	110
PID 4596 wrote to memory of 3988	4596	chrome.exe	110
PID 4596 wrote to memory of 3988	4596	chrome.exe	110
PID 4596 wrote to memory of 3988	4596	chrome.exe	110
PID 4596 wrote to memory of 3988	4596	chrome.exe	110
PID 4596 wrote to memory of 3988	4596	chrome.exe	110
PID 4596 wrote to memory of 3988	4596	chrome.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Users\Admin\AppData\Local\Temp\2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-05-21_a611aab192b58f9118af526e74c560a7_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff89307ab58,0x7ff89307ab68,0x7ff89307ab78
    3⤵
    PID:3944
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1908,i,15151505276159705978,11622394005107021824,131072 /prefetch:2
    3⤵
    PID:1044
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1908,i,15151505276159705978,11622394005107021824,131072 /prefetch:8
    3⤵
    PID:1484
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2180 --field-trial-handle=1908,i,15151505276159705978,11622394005107021824,131072 /prefetch:8
    3⤵
    PID:3988
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3080 --field-trial-handle=1908,i,15151505276159705978,11622394005107021824,131072 /prefetch:1
    3⤵
    PID:4196
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3112 --field-trial-handle=1908,i,15151505276159705978,11622394005107021824,131072 /prefetch:1
    3⤵
    PID:4996
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4352 --field-trial-handle=1908,i,15151505276159705978,11622394005107021824,131072 /prefetch:1
    3⤵
    PID:3444
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4496 --field-trial-handle=1908,i,15151505276159705978,11622394005107021824,131072 /prefetch:8
    3⤵
    PID:5196
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4508 --field-trial-handle=1908,i,15151505276159705978,11622394005107021824,131072 /prefetch:8
    3⤵
    PID:5208
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4580 --field-trial-handle=1908,i,15151505276159705978,11622394005107021824,131072 /prefetch:8
    3⤵
    PID:5600
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 --field-trial-handle=1908,i,15151505276159705978,11622394005107021824,131072 /prefetch:8
    3⤵
    PID:5680
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5780
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x294,0x298,0x29c,0x270,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5864
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5984
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:6060
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4572 --field-trial-handle=1908,i,15151505276159705978,11622394005107021824,131072 /prefetch:8
    3⤵
    PID:1696
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=740 --field-trial-handle=1908,i,15151505276159705978,11622394005107021824,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1704

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4016

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1056

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4552

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3368

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4948

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3916

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3784

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1120

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:404

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1624

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4876

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2872

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4608

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4808

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1452

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4328

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:680

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2232

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3628
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5184
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
dd15ebfb46ba619f3493b02ec34b3583

SHA1
182f02980435d640dbbc3c614a6228d397620330

SHA256
5aeb407f85e4aa52bc1f86631c13b9d23565724d246e33b2a3b87cc415a45b00

SHA512
b8577b358131ab6529589a8a9143d6ca36549abeffc1fbfaecc68536735d6246c84530b8e22213b9cba739f3c33e9840b79362a4ae3f344a442df2e864b1c736

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
9058ea5a52742df1ad2ac9fa5665843a

SHA1
cba13e4fb9f38a97f6b611cf56586ade3f450cf8

SHA256
4064ee1a17887743ca1c1575f65e1d23c28a08582bb9fc27f1bdd8a039f09d0e

SHA512
95d34505e80df1c163ed2aadd1dd5b94dbdc15d70bbc5d8609e31210f6fc07c4c11888cf9d458626387236a9c03a1ad9beaa51e11f39e604b8ef15375444c7e4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
5caefd6594c767f93d74096638d5c8af

SHA1
ed35c0958402600bca9d4fc32d1e7a44768a2f4d

SHA256
f426bb94926f4e4feac0cf7d1cddd862b7f212a5d3c53f3881298179e91d09e3

SHA512
a719265ee2c14fd0921532c59739229c7f1787b247755d35ca1c22fe4073ceff38c7177726f51c667b967f6e38c719186d9ac2cf9117812ebc1b91275441dabc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
a9e7bbd0059ac9405f691704012e356e

SHA1
9008ccf4a280a5c869456a4816a88847369aceaf

SHA256
ca6ab77403f231348009fcb9937e2a5aeee5c2988a9d61a37622148ea1dca4ea

SHA512
6a960c08a07167ddb3822d8eed87861e0b09a338597c451f5c549c17543d92c1925425b7446c69e1302ee50c0312830e72a7daf8adf9055f5d773e7ad257a9f7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
8d53613f088124be9d45a2d5b7cc95d5

SHA1
f33cde46d0145cf7895785ee46d8034576c776cc

SHA256
6a113943c3245fd95c42c2da090da9b7cbd7b48c81c7171025d7d0f6f0c329b1

SHA512
be1e6f00af84186693442cf12d2ad414acf5c351411d9e7ac61de2f39f99c024bbceb87732194061f065d6805f75942144743d268871f4a6976624f55952357a

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\696fb2da-c1f9-4a6a-b07c-eb6700a7d3ee.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ecca8993047150870094c763386eb4e0

SHA1
e77376a1868359b6270fe9924477d645bd5d7d1d

SHA256
bc2822a5efb199dcc655254b162e8e690280697a639ba9b6901133798470dafc

SHA512
28eee493fd526ef4227665583b28d600954d71babf027c2aa6bc8d72684d4ebe8b84436dd75a7fe29b6d17c8fd91f27a08e4d9deb53e8460a518bd7c09ca297c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d39540a7c1336aeaeed11e6297446de1

SHA1
af539e8db8ae6584c5de78f1f84f9d4b5a0ef848

SHA256
6b2be671c54113a5b0a68967cbff045c7b9723f664278d51e15030f7f4127149

SHA512
9bdefe6b7db9759a337965920a2b8e2b584b41fb999c4eded5e747bfce7fde73fa89944ca18a1cf139ada72ff2bd8f855244ab9bda65c36aabc579e43fa1991c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
c5ab7172010b28a8a85bf683dc6806db

SHA1
92ac6a99b1289fa34338baf8f452ccc5f9237e13

SHA256
fd58c146cd2eeac939bff557234c98b2b97d95ac0f4f4565ba0f44375122ce89

SHA512
88d4f32618caf1e195ee264fbe519c4496c3605935b7b233f4a6a89b7f6c808c3ead3c21ab2683d78501b969c557fd0f4b5d862adc941e9538ec0b9489318c0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
df0f9fbb53e4cf4ce7ad04bfdc78c561

SHA1
264e368d73601f31b150df94ff32982d850fecdb

SHA256
1dc7abf319a8a3dabe8a3af6a67c1814c3644f70ddd817ee10f0dc64cde4bca7

SHA512
7696d8c30726099cd347d5c2506a245e00cfd3122bee2ff5e4f8a6be108f7294f94434cb07dee6cc4a5000a139cf33de049a573c56b211562b285a85031f44a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe575ab3.TMP

Filesize
2KB

MD5
17452b252e572ce0e1d15bd52b3d96dd

SHA1
76e11b2ee8ae5cfbac60be4c4f1609879da3586f

SHA256
078b9af3cc02d4ce24f484c105def6fa6ab3b239269d39b503bd592cd8721ca2

SHA512
23c427290207f4496388e375917532a84121cd606cf36e804d2c30439167068e4eb43930ed32d406fa86cca6cd7f38d3c4f2f3f0bfaa9e157c6cec6e1e8546cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
7fcbc444b472d839a193adc2eaa66bf1

SHA1
6f1b25c14fe446bcf84041e4b0d59609a97c9a25

SHA256
4e798c31d774e7d59c7aa80f3ce5708a8ef637e7f077e0b932d147c8a118976d

SHA512
b85dfa060a53e7e78c018b038b3579d92e1baf91f524b85bc02ead92dcb954266f5db1ce7e7a470667dd212518d65ee26a9150a586fd756aadebaedee615e2ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
259KB

MD5
741263e12281c0b0aa90e5aed5daed7d

SHA1
022c4dd4dc10120edd66601c6b3b78b896213125

SHA256
4430fcc060f23a032b34a12b3edf4c54ec7bafa46630e9e6fcf424e47eedcfd3

SHA512
b41d8f477b60561446116dc7d8d165f4f2949771d8cf4f031df09e666f1058a7bf62adb97bfedb2d50b006268dcac97fc7806816ce3ec005007f78457a4d2f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
a849f33729df9480c68969870b021072

SHA1
843c85775ce8e994866ee8e5e465968344bfca70

SHA256
46cd3e4035d47d5b9cb76760e98083b8e511145592171e02be3dc7fabb709a99

SHA512
6438db30a7ab4929e0f93e1809d567d68b1a073a3e00f42d0841c686739cd90bad6f74e8ed3de186187db6e6142d36614344bd320defe5d02f4f679ae51297ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
6fb7ec2d7180fcdd9afb446198e45d15

SHA1
192ba547c185537255d966d8f0c13dadc13f2e9b

SHA256
613a2aff4e9187ed282589ace22ab8fa47154b81a97d2944105b9744436b3679

SHA512
f517a6bebc0248fc6b1d620ab2de2cd6c0eb79aa667993f108b908246fbe4c873a33f482f8098979c8f78978b069aaf1768709b3780b0757aeb1516e04afb2cd

Download Submit
C:\Users\Admin\AppData\Roaming\b7c9b12bd590e271.bin

Filesize
12KB

MD5
cf140231a225559f09fa08e7375befc3

SHA1
b0c86fe2795864da387b33bc7e013902e2b39065

SHA256
096f0f61c758e58d024042b4161cfd22e6b238b5de539fbfbd1222362c036567

SHA512
c3d4aa9d48c062dcc8107c8e00c39dd122c56a896cc9d9edf7a5e8576b1d81f1ccef8a9538d2eb4e769b0380537caa480644e11bcb044a66771d5539b4cccbfc

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
eefac10a7fe2bb1296b177924a429024

SHA1
37377c5516b81c8833f26869cad6bbac05a7e0e7

SHA256
7d39d278e3f82d551de21f60e42abe827bfe8bb1a707a4f326f3a7a9f8ac8a83

SHA512
693ed8ce8574ab9462e4c25aec3785236e5d52325fec1c80f6f50dea800e6d0847dfb56c8f9a3c0a3a604c6786559db935e9baafd6824e2185803591f2ed0641

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
86e6b469bc4ecb42c5991847315c47d0

SHA1
e534cebab34ac6045429c22bac49ecd9dd50b575

SHA256
e39ac3c366f0f66322d1ba720d3415c97466684dfff5f5c44f0779ad8034a6b4

SHA512
01b8d054a10cc11054b3aaf66841267f7324583e4713f8eee2a6190850a6a8e0a8c8b02078e6b28d46aae666dabe338f0062c4ba7d8bb61c20791c835e379c96

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
fc0cb338f9f56eb17d4173064e7dd6a6

SHA1
4ed4596d21147db1d39bd852dc247294d3d347cf

SHA256
ff4754872f1e9cbf53af308637d2f962d81fb373ecf8f45c677040498e1d9a6a

SHA512
af70596a39ab6ea66db08f50200bdc6f1c77fa09b7d628a829a15303fc32ff412c0f08e2b9c7f2805cae5b874cb31e5e4b7c72ccaedf85eeb7f0d1f7793de04f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
bc7384a00ae2ec58dbfa1c5d98e8f3bf

SHA1
5c1da44cdede26220d59d8e36c1e5030c81001cd

SHA256
d864ecfd16ef0568e7206c1924474983936cb843e0d8a031f9b62f71b60d9ad5

SHA512
22652addfb75e9e2c44ece70f0c8e80c034ded4544f302e03809feb9d8e0ce4e96f6c05982af2ca6cb59837d9f3316ac4ef24987cb93d23b10d3a6445f21fab5

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
071b0a4cc63d7a05551a0d7008103683

SHA1
3f69b52304d1b5f2bdb9b3bbea003807665bebc2

SHA256
89b9dbaa7ba905127464dbe710c9b1dd0e68a0b7ffa40b60bb26efec9b414136

SHA512
7e34ffdf92ce13cd92131afbe37e6026e2cf3701ec5589cba683d7c525087c9160f12c3718180f04cabe17c3c0dd8113b8fb34c33aface1cf33801a764e1b484

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
e311fe139ace08a1d85b36446152c585

SHA1
49e569d8658130732581ff570dd56f31362e56cd

SHA256
32fcb65361925e7c5538160ab2cc2e634345ff62b568bed755737d29e22013b5

SHA512
cf98613584dfa6b5fb3ba48b273266e8a22df29d54f6b1a080aaba207b7d07b6ec7a67c73f556d6bd03158c339125977e33afaef84016c8f6585146c00e01ac6

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
fce662c2d6a1e20c2be156ef861fd03f

SHA1
c2e00972544cc2e6f2fd57fee24160aa9c4b5033

SHA256
585d604f6a04998fedbc29e1cf6b33a8dc2d211944346ec231167ba48d8a6693

SHA512
1a9fc4487838cb0fa5198950781251b0131cc49c1ca66c19f25f10030b3a11e17d12b3a9c2506cbd60b2f3c8529b96a45f6870f253488c47681f0019051121ec

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
66891984ee7c64bf4f5a4224b4df1494

SHA1
6f2cb8fb5bc922edd356ec48c3d6a5daf5ff476f

SHA256
67b8f12b830b0730ee0bee909741df193403e12f97f09d5a9263efd0b2975f12

SHA512
6d21c28407b0c30b28a3ee91a38242083560a4b1d10bf40d07e09dad3f764f3c874afdab07e0b4f01396dc62f469d3c6b0868044b1437e23a1eb5e17f37e92c7

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
007cd9f3916a743b4ea9b133f13b3748

SHA1
dcf0411665c4ec8e958e5f31c954855604868ae0

SHA256
a63bcbf9d05c7a3027be03eedde1530870a89826aad971ac1b304a0d2fb01796

SHA512
b46cfc0a898c2179d25efade70ff0fae642ee3f316b92b4617d8f192cf58146208faf0bcc26d56936822d995e25effa273fa757c032333a9ea5cfe945540566c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
aa9ba718bff086858f37268e07b859a3

SHA1
92af85fec480935539d075f33e9a65b173287a12

SHA256
13d077e06743362b13c61be3a03b9311a8e78b9f10e1161142cbe6530812673a

SHA512
26aa1c8bba7c6e235cf1ea3c81f99cd3e9c2d445a77dd79819cf84f696420fd987296ff719d0cf5e1a037f967c1bff48b49aec726760c43348f06d9d8e962019

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
72e939b5e18b7128e3d0de99bdb9428b

SHA1
37bcb5cfd21defe932148deb4766e441f1329b41

SHA256
3e1dc685f93bc39729124074951f434d3bca656515159dbdddb4226e3de50d34

SHA512
b69212a2aabd12d56a0d64527a7b01ba85451c25adc5b9cd0afb261551a8cdf08ee67cf5e95493a7ee4d06e269887021f09cba045b93a7196ccbc27f1c835a24

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
96cd95e2b77cd38ef17c791ff3f6d6d8

SHA1
d822010a25698d33e83a7b73c5d40d9be63e32b3

SHA256
7f14360f32eca78669f8d89d1c61e6464e6dd9eddd8d1a390a71dc6ef65f26ae

SHA512
d5d0a0a74e09fb543b16766a9c1ab93321324ffe75110096777683f001e069558487d0b5359f8664bb0d89d146279ec5d93d55c87e6f9edffc2acbceb7f485cc

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
d8752a0602360bb35bdf5ae86cc7dbb0

SHA1
8bbc38445599cb9a78580692660427a780d015f1

SHA256
9f6d3fd819aef074cb06480a5c1a6f687663ee01fb03422fb5840558a8744f9c

SHA512
73f8a5d77d8ff2a16b85af86a75abbde9195b9a0cbd78a1e556433d7c50f4297a2d9ad4fca303993268854155e90cb847b043a366eff44dfc78ff3cbf63609d6

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
2a9ec786f03e188eaa79b5f877acfcba

SHA1
fe1b9bdf2c08c1a6708d7e6c71920605f308d88e

SHA256
39950c06a839a6c365ce406a23f018464bc45d281ebdd2c40545c281ef417b5b

SHA512
3c6e7682808d26b778dc6b67665e321686aea6bd0835023bfd38fd67e878a0def05a8304a97ecbf2286fe6e95e55fe11428bec04c6912fb33ba239ca251ccf18

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
577d11df5753936ac7c58510c5268471

SHA1
65896a01ab1ec6445b544b82ab239caeef4876a3

SHA256
701506d1597e0c9a4a8693867a9071ee4f1272dd7556f08c8147cecbcc555a1e

SHA512
32863ccd5ffbc85c02b0719f37177b5253805ea8ceec02d4d881ca55d328d6c62074ac782f3e997e2bc0324bc54ed5731cbd04183f19e025f323f46af1d52a02

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
fc153cd879fe763c1c33742e35411af4

SHA1
485f45bb41c8e751b54b7774e96efbe59eed1b4e

SHA256
76838dba9bb4ed1cb14c3a1170c2a35a4d99ad90573d6ba13c1b3af100b54043

SHA512
00d45e9957bc1d4448f8301d18599ec2871269dba69f136d8c17d546cefc4ad14eda9278f226514982e9ae785cb18c5dc2acdbbfba55bb54766a6f9ad63768a7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
061d0e33344feacfb7a759646ec93b1e

SHA1
583d6442f006c173c0609f76b42cf33f80f6a496

SHA256
356e3671d11b6e8d35dbce7aace97b85ff91286b084fe774c14dc567c8cc8884

SHA512
a6d17c3e8760c9e1180875cef81e81b13e95723c3c82580368a0b61e20d0034ee95cc03d0ff7737088e3ee322cc6d52616dc6b4e3ffa6b7a592ba2d818dd7018

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
97f050136478dea4938edf24374627d1

SHA1
e3d5228fd7ed42a954946a794afa0cf71acd0b2b

SHA256
0c5819bb8d18735d8b50f2d9b9dded38f9ea3e63e33274876a6a180a2f13bec1

SHA512
eae0a7877549d1c97f080bac5d8a946d2000658a677d711389306112a979557d4b79aebf83645bf76b2d39b952bb5a56cd990468d204703f64e21b5fd3b2804b

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
95c33cc1969930fefbdb95f99b2a9882

SHA1
cd2cd226b2c6f6de0bb090f9ffadb8e643a23970

SHA256
53b715becb7434a9ec7cebf218a7397d5c30fb50f6d3ac578728024f00ba194e

SHA512
c5992c3d6c1d20ed54d7e8cee2d3ac42d929812b770ae770881b4d09475b23cdd5afb323f401ca81bee5566f09638581f8e86b717bfdaf11596e7398978070d6

Download Submit
memory/404-218-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/464-225-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/680-272-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/680-703-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1120-217-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1172-226-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1440-9-0x0000000001F90000-0x0000000001FF0000-memory.dmp

Filesize
384KB

Download
memory/1440-21-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1440-18-0x0000000001F90000-0x0000000001FF0000-memory.dmp

Filesize
384KB

Download
memory/1440-299-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1496-697-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1496-239-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1624-219-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1864-15-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1864-0-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/1864-25-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1864-22-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/1864-7-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/2232-276-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2232-711-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2756-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2872-640-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2872-221-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3368-287-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3368-215-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3368-67-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/3368-73-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/3628-300-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3628-714-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3668-45-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3668-53-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3668-51-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3784-216-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3916-90-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/3916-102-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4016-518-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4016-33-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/4016-41-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4016-42-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/4328-599-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4328-227-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4552-57-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/4552-63-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/4552-76-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/4552-78-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4608-222-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4808-224-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4876-220-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4948-86-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4948-80-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4948-214-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4948-567-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5780-529-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5780-589-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5864-715-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5864-531-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5984-578-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5984-564-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6060-568-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6060-716-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download