a751c6e4cd2a960c79adfd430f94d75a3944fb69ef5b09f9c3f7f9c4a0be7cfd

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
Size

5.5MB
MD5

06452b7759d47165f83c60ad492c89bb
SHA1

f0569dd4a30e05e4f7f90d3194de48176d1a2f29
SHA256

a751c6e4cd2a960c79adfd430f94d75a3944fb69ef5b09f9c3f7f9c4a0be7cfd
SHA512

3d1201044237b8ae6c92498d6c91ea835b2fe4b386d6455e1c213c813804863b6086432201567991b381b2c8bd52f126a20be61e2c2b7787b19879b445e1af4a
SSDEEP

49152:kEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfE:CAI5pAdVJn9tbnR1VgBVmtqj2FAQL

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2432	alg.exe
4896	DiagnosticsHub.StandardCollector.Service.exe
756	fxssvc.exe
1064	elevation_service.exe
2408	elevation_service.exe
4736	maintenanceservice.exe
740	msdtc.exe
1156	OSE.EXE
4180	PerceptionSimulationService.exe
2268	perfhost.exe
4768	locator.exe
5100	SensorDataService.exe
3516	snmptrap.exe
4600	spectrum.exe
2156	ssh-agent.exe
2964	TieringEngineService.exe
2488	AgentService.exe
3164	vds.exe
848	vssvc.exe
3376	wbengine.exe
3688	WmiApSrv.exe
3028	SearchIndexer.exe
5572	chrmstp.exe
5768	chrmstp.exe
5860	chrmstp.exe
5632	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b645a4ecd590e271.bin	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\javaws.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c9ab1b1739adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c863371839adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000021438c0f39adda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e11eed1039adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ee6351739adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133609599530659942"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a8b51b1139adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4048	chrome.exe
4048	chrome.exe
2932	chrome.exe
2932	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4072	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
Token: SeTakeOwnershipPrivilege	2424	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
Token: SeAuditPrivilege	756	fxssvc.exe
Token: SeRestorePrivilege	2964	TieringEngineService.exe
Token: SeManageVolumePrivilege	2964	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2488	AgentService.exe
Token: SeBackupPrivilege	848	vssvc.exe
Token: SeRestorePrivilege	848	vssvc.exe
Token: SeAuditPrivilege	848	vssvc.exe
Token: SeBackupPrivilege	3376	wbengine.exe
Token: SeRestorePrivilege	3376	wbengine.exe
Token: SeSecurityPrivilege	3376	wbengine.exe
Token: 33	3028	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3028	SearchIndexer.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
5860	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 2424	4072	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe	85
PID 4072 wrote to memory of 2424	4072	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe	85
PID 4072 wrote to memory of 4048	4072	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe	86
PID 4072 wrote to memory of 4048	4072	2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe	86
PID 4048 wrote to memory of 3456	4048	chrome.exe	88
PID 4048 wrote to memory of 3456	4048	chrome.exe	88
PID 3028 wrote to memory of 208	3028	SearchIndexer.exe	113
PID 3028 wrote to memory of 208	3028	SearchIndexer.exe	113
PID 3028 wrote to memory of 2500	3028	SearchIndexer.exe	114
PID 3028 wrote to memory of 2500	3028	SearchIndexer.exe	114
PID 4048 wrote to memory of 1452	4048	chrome.exe	115
PID 4048 wrote to memory of 1452	4048	chrome.exe	115
PID 4048 wrote to memory of 1452	4048	chrome.exe	115
PID 4048 wrote to memory of 1452	4048	chrome.exe	115
PID 4048 wrote to memory of 1452	4048	chrome.exe	115
PID 4048 wrote to memory of 1452	4048	chrome.exe	115
PID 4048 wrote to memory of 1452	4048	chrome.exe	115
PID 4048 wrote to memory of 1452	4048	chrome.exe	115
PID 4048 wrote to memory of 1452	4048	chrome.exe	115
PID 4048 wrote to memory of 1452	4048	chrome.exe	115
PID 4048 wrote to memory of 1452	4048	chrome.exe	115
PID 4048 wrote to memory of 1452	4048	chrome.exe	115
PID 4048 wrote to memory of 1452	4048	chrome.exe	115
PID 4048 wrote to memory of 1452	4048	chrome.exe	115
PID 4048 wrote to memory of 1452	4048	chrome.exe	115
PID 4048 wrote to memory of 1452	4048	chrome.exe	115
PID 4048 wrote to memory of 1452	4048	chrome.exe	115
PID 4048 wrote to memory of 1452	4048	chrome.exe	115
PID 4048 wrote to memory of 1452	4048	chrome.exe	115
PID 4048 wrote to memory of 1452	4048	chrome.exe	115
PID 4048 wrote to memory of 1452	4048	chrome.exe	115
PID 4048 wrote to memory of 1452	4048	chrome.exe	115
PID 4048 wrote to memory of 1452	4048	chrome.exe	115
PID 4048 wrote to memory of 1452	4048	chrome.exe	115
PID 4048 wrote to memory of 1452	4048	chrome.exe	115
PID 4048 wrote to memory of 1452	4048	chrome.exe	115
PID 4048 wrote to memory of 1452	4048	chrome.exe	115
PID 4048 wrote to memory of 1452	4048	chrome.exe	115
PID 4048 wrote to memory of 1452	4048	chrome.exe	115
PID 4048 wrote to memory of 1452	4048	chrome.exe	115
PID 4048 wrote to memory of 1452	4048	chrome.exe	115
PID 4048 wrote to memory of 2916	4048	chrome.exe	116
PID 4048 wrote to memory of 2916	4048	chrome.exe	116
PID 4048 wrote to memory of 2292	4048	chrome.exe	117
PID 4048 wrote to memory of 2292	4048	chrome.exe	117
PID 4048 wrote to memory of 2292	4048	chrome.exe	117
PID 4048 wrote to memory of 2292	4048	chrome.exe	117
PID 4048 wrote to memory of 2292	4048	chrome.exe	117
PID 4048 wrote to memory of 2292	4048	chrome.exe	117
PID 4048 wrote to memory of 2292	4048	chrome.exe	117
PID 4048 wrote to memory of 2292	4048	chrome.exe	117
PID 4048 wrote to memory of 2292	4048	chrome.exe	117
PID 4048 wrote to memory of 2292	4048	chrome.exe	117
PID 4048 wrote to memory of 2292	4048	chrome.exe	117
PID 4048 wrote to memory of 2292	4048	chrome.exe	117
PID 4048 wrote to memory of 2292	4048	chrome.exe	117
PID 4048 wrote to memory of 2292	4048	chrome.exe	117
PID 4048 wrote to memory of 2292	4048	chrome.exe	117
PID 4048 wrote to memory of 2292	4048	chrome.exe	117
PID 4048 wrote to memory of 2292	4048	chrome.exe	117
PID 4048 wrote to memory of 2292	4048	chrome.exe	117
PID 4048 wrote to memory of 2292	4048	chrome.exe	117
PID 4048 wrote to memory of 2292	4048	chrome.exe	117
PID 4048 wrote to memory of 2292	4048	chrome.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Users\Admin\AppData\Local\Temp\2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-05-23_06452b7759d47165f83c60ad492c89bb_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc1147ab58,0x7ffc1147ab68,0x7ffc1147ab78
    3⤵
    PID:3456
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1904,i,14397989872111555172,6210424176112073709,131072 /prefetch:2
    3⤵
    PID:1452
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1904,i,14397989872111555172,6210424176112073709,131072 /prefetch:8
    3⤵
    PID:2916
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2096 --field-trial-handle=1904,i,14397989872111555172,6210424176112073709,131072 /prefetch:8
    3⤵
    PID:2292
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1904,i,14397989872111555172,6210424176112073709,131072 /prefetch:1
    3⤵
    PID:624
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1904,i,14397989872111555172,6210424176112073709,131072 /prefetch:1
    3⤵
    PID:3764
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4300 --field-trial-handle=1904,i,14397989872111555172,6210424176112073709,131072 /prefetch:1
    3⤵
    PID:5336
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4452 --field-trial-handle=1904,i,14397989872111555172,6210424176112073709,131072 /prefetch:8
    3⤵
    PID:5512
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4516 --field-trial-handle=1904,i,14397989872111555172,6210424176112073709,131072 /prefetch:8
    3⤵
    PID:5536
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4752 --field-trial-handle=1904,i,14397989872111555172,6210424176112073709,131072 /prefetch:8
    3⤵
    PID:5548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4908 --field-trial-handle=1904,i,14397989872111555172,6210424176112073709,131072 /prefetch:8
    3⤵
    PID:5684
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4720 --field-trial-handle=1904,i,14397989872111555172,6210424176112073709,131072 /prefetch:8
    3⤵
    PID:5308
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 --field-trial-handle=1904,i,14397989872111555172,6210424176112073709,131072 /prefetch:8
    3⤵
    PID:5544
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5572
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5768
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5860
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x294,0x298,0x29c,0x268,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5632
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4744 --field-trial-handle=1904,i,14397989872111555172,6210424176112073709,131072 /prefetch:8
    3⤵
    PID:5644
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4192 --field-trial-handle=1904,i,14397989872111555172,6210424176112073709,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2932

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2432

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4896

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4392

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1064

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2408

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4736

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:740

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1156

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4180

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2268

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4768

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5100

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3516

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4600

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:968

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3164

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:848

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3376

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3688

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:208
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
2365c1c0b0cdca59947d31dad7c78cb9

SHA1
b45d88050cd37a0ecb92a1c14cde1133557a66c9

SHA256
79954e1296385125854cdb27479766a830bb94ad2f4a3c212390b631646e644b

SHA512
16b07b79f1aa154a43debdf4c93b71f49ffacc0407b7412582f815785bba49835fcf542a1df60d80e64bfdb8d737e80985b86d542db167c53363b46f6949e33a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
73396aedbb2a7ec9588357d4b39beb65

SHA1
3085becefab9822657ce642bd83d7da0eb3b0a6a

SHA256
686c28e27fe5bdb875896e7854c91aab0827b409e66ec5cd1a2d127b1a40d0bb

SHA512
cceae55b79471d5e5bbfe833cff92606fb5970f00bdd7c66da577703a44e6fa5fe8ee213bf9353818c767f62c84536c3cf9399422a26c2d4c0b5eb8f95733263

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
74fcd151c79bb09f8d3913cf8c749ed7

SHA1
cc2e4df65789d1ce0be3a0dbaa7e60ac9b40fa93

SHA256
cc879bae0ddc234eb6118d36b97ec9c5db5c8095ecdbbaa4b617a7721f23e041

SHA512
f97c22d14aabea78541d2fa62f33b9dce26834d7637907b781f18a135fe586f3db5b0d4e8ca651fd68b33c2c3ae10ab43b1a4e6c4df9dfc5946e610bd926cb40

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
6e9f66ecf663884906094a842c4910ce

SHA1
a0ef5de5ceafa43f3023980f286a6f71e2e19b58

SHA256
20c87063c42deff626a816077d30c1ae438e382714ab1d57845ae0113e83086a

SHA512
e7972ef53b4efb57770ba34d3176e6465979997eb584648c74a0742f09da5f44def224bc8080a0aebdc08084202b42b55f461d4918a35d526eeccc16b31bb34d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
a769d266027cc4d56c69497e991b939c

SHA1
d737fd23e59d123d8134f0bb3f2a32918d165e9f

SHA256
abb23abbf955152d8f5c7078b7db3dc7c31e113fb004f55a98fa126d4c2c65b9

SHA512
c1de66657a60f1a8f88f11fda47aab0a6cd8885ffbe3db78f669a8f185af549bee8c72003fb2aa6de7939f6b6256045560b7e3d052837904cce7c28744ab44e3

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\d5c91878-42a1-4d90-927a-f7333857fea5.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ecca8993047150870094c763386eb4e0

SHA1
e77376a1868359b6270fe9924477d645bd5d7d1d

SHA256
bc2822a5efb199dcc655254b162e8e690280697a639ba9b6901133798470dafc

SHA512
28eee493fd526ef4227665583b28d600954d71babf027c2aa6bc8d72684d4ebe8b84436dd75a7fe29b6d17c8fd91f27a08e4d9deb53e8460a518bd7c09ca297c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\27090dcc-242c-47d8-9fbb-13eddd1a23e8.tmp

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a2754c285d467383bc5fe61568aeb753

SHA1
d0d0d43c7315a01b393d3dc7b9beddbf7ac4ee1c

SHA256
69dd9f7d1ee19dea45e0e7f68ed6cd92cae797af2aa508718cb8ea6cba371ccf

SHA512
5392721bcbc5ff3c9aba07a83422e1cb49bac05bb14aad791df53ef5ef4441af75c2175c13e3960898db46b0743d5f6f672a304154ba5bf944edfc98fc183805

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
a26a141d50b2e98d1b99f25e773d4c48

SHA1
43d4e441ba961d1d5eea3e2e266b023ebcb0bcb3

SHA256
b250b8d2581a795d3f4ea6921f0657ec2110195352d4786b5f3df97139e5b986

SHA512
ddf33cc8ba90d1cbe7f7796ae967dbcd871f8de2c57f595e9c2b7a13b6a06802dcdea2853c599ba42b46352c507dbfe846431fc72b4bf4363d3e7f13430662d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
5efad5b27220cd41c113a59eaf32df0f

SHA1
7d89798f849e023e2aaddc47cda3fa8503680907

SHA256
c1b387a234847b28ae85ce4d15a11768838406e5454344c008fa6471aa81cfdf

SHA512
4aee74d219b7f26c72bb34c782a7152cc17d3185a2d0f8d875f3d0ef0f34ab3e3fcc75f3008a71fa9c0cc9d5b5083b06581ce4f0869204f5fc9e200f0c398b10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57b3a0.TMP

Filesize
2KB

MD5
17452b252e572ce0e1d15bd52b3d96dd

SHA1
76e11b2ee8ae5cfbac60be4c4f1609879da3586f

SHA256
078b9af3cc02d4ce24f484c105def6fa6ab3b239269d39b503bd592cd8721ca2

SHA512
23c427290207f4496388e375917532a84121cd606cf36e804d2c30439167068e4eb43930ed32d406fa86cca6cd7f38d3c4f2f3f0bfaa9e157c6cec6e1e8546cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
d65de6a2f3407ab4cfde18f5b16e65b2

SHA1
d0715cd0a4487aad78ee295d65240d964f08ab00

SHA256
f4bb3f9be5eb872c1fbed820afe064fa9a731826d6cda644bdd313454769e023

SHA512
ba30a7373ad02fcf5c38335e85fe2b40f8fb870fc7cfc2d7b3a919ad0b02d84e19fcf3e191c8e49d403096730ce47f214ac6eaeabd370c28f80017d03498f0e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
4c2583995a9e7326964ac9ff51e9133e

SHA1
444e80940ef617d896820d2a63c74bb8ed3df030

SHA256
faaf9fa3cc8d1f6e7dd42454e156e402d770e7ebf9883399536166ed68f78d03

SHA512
ffee08640f4f263a5b0bdfa4f192ca03ec6c62e2ff6aa4389fdfd62db2683ba854db3dc0094736eec8832ab4630a6f040f09b575f5fd687867694351da046e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
277f53539e9fa4c5dc7000a635846eb6

SHA1
45c547e19720e47adf9941694709a0ecb9231f75

SHA256
63cf8c0debe84732315bd7a50f7081b671d3fa91009c6853620fc312ea6482b4

SHA512
479d7ac44f3fc7ebbe0a2b9663a3fd67e8b2892676c605b4f6d25dd026c8673a1603a8c5ecff045506064879476a9ee5e5239b9ad1b1a7c00695d3af94dd2abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
6bb9e0ed6ec5cbe119a8ee7aaf47865a

SHA1
4d5eb0613d0392ef97a2a58598f4b819b1ec00b2

SHA256
0fe76b38c76c3efdb2060d36adc1be121d42209f0d3da7b6f58e9f095c241787

SHA512
3b8f2051c2562caea232f859b14e05da52c68ad9e208604a88f0e9f6770d044cee18146fcb2ddd3515f30daa6789ce93f269276393cff94c6960186ee6ca548e

Download Submit
C:\Users\Admin\AppData\Roaming\b645a4ecd590e271.bin

Filesize
12KB

MD5
ceec5614ab8f34cd6f785698c8927a0e

SHA1
8dc83f016879e2cdc64a25980518be8bc34db702

SHA256
3788426e4e52a6af0fc79864bd1cfd43f821aeb83b79230a526aa9c68fde9b3b

SHA512
fa0ab460097ceac871e54f4e66385f6174cfe79e590ff0534f4078aae872ecd5cd17e0e382606079f9a51b4d4002247d09a3d9120fbb03d5c572c4bea7c79bef

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
0cd59ffa08d7bc03b23bdc2ec49ffdb1

SHA1
472ab35fc487ee6638480605fb39b91a4ede7664

SHA256
fbd03d28048920d47aee2f3312aa9d7435dc731d6811a8c2bad362b2a86f68ed

SHA512
a8196ad5cc22b987581474c89224f5a3715fb5a5a68f8b54c8b48cef69cf45b4f8c0d08748105859490c03fdaaddc2dcac0a57868dede80cc857c07412d5febd

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6da11f7fc90861f3749465ae3a4c724c

SHA1
2a81f3bbf7da3cd5b3d88f7be6cbab9fdc944169

SHA256
5d9fa852a2ac71f951854c956fa852ab617138918c26d391f04f45de60a3ef81

SHA512
085393f81f3254c631cdaca9bf5356ee6bf888faae39e892a80d9a48c67abe4801e395cac75b6b0116d7d4a1248a63ef442e155b2d26f862a7b333013d427f46

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
3dba3b925979b9c5cd9cb65d7c873c3a

SHA1
13025b0252c8b5596b0e2528841fe09feaa6d21e

SHA256
d8dc9a9abe97764057ef0d85b16e201427830968d330ba0ac7b6ea3dd90f1058

SHA512
890ccb70715f381d5aa70c00d6b9c368c54454b1818073a72c289251da9afb9ce284db66a5ccdc10311661a4ed7a4f74ff20df7ae494169f9b2b03b4df1661a8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4511ac2d6688ee956a65869f4ceaeb20

SHA1
2d727859afad84a62be77d62fe6c13b4715ec10d

SHA256
6239fb6d3d37fe2dbe5e4bbe567773896dfdfcd9ef8933d41215075b49ade01f

SHA512
8f32a82340c6e8f844a6f0766f248be81848d9b924455075b75a3dd24353add55e44b484f6aad482f8e477c9328b6b43977c9ac3d3d06dcd93f91168073850ae

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
ed5828d7c393a98deb3a2e675fb0c4f7

SHA1
311cc054e2f1f02d90add5214b5ad6c69c8acb59

SHA256
2b2ebd7ed8e56c6286abe4488681d7543de786a7d619a046025458224028eb08

SHA512
ba0b7d072cf649cab490b0d1fcf590ab8da89f33917e743be24382bf35cf5cff77624a7cc980bac088296c3aa2a2e6624059ff34fb282ba17c63cbf8fa300b54

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
fce6704a3bff695b67462ac06aab9732

SHA1
56f5d810147b06b98ccab892562b15621595f809

SHA256
458270558afca2b5213b168dc77474eaac600b864dcc7fe5fb0011dd317db7cb

SHA512
0f0b61f9affc8b88fe641d954310e4001bd3bdc617f8572d299af04340152ffec8620827b84ba68804c97b0004434077dc7aa2aeafa8b10f2f58add78d2e6e39

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
6c032f31c327d2905b6ec07435e407ba

SHA1
4acb64f7d79412251b811281250ee600db1594b4

SHA256
4f6fdbb8965fd218f9823d63dfcc5e4bcb15a7b875c60eb8a96055878d71fa3d

SHA512
ef1d8ba7c0bd274ebd3d6de3e1889f3df5fe8d9805171c30b50e06655c359decf7550feeb089aadbab17ae450c5cb3be7eaa7d4615ec7804b224c587ba7478c9

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
ab1839ba69c5ba2ed88be038dac3d495

SHA1
8f8c0d35aab4b77eccbb49a80305f3e6cbb3fbdd

SHA256
a35b44af6d9a9383003db3d2796d31552bfb4a2efec8847224646d8c68330276

SHA512
e0b5d8901ec4f69738aad760223a1690c46e24ada15f6c837ec00eeea150345f46106b8bc420be227192c8ab5f62b288f6f8c19dc2651a56570659d394e6173c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3dcfa4c47014a8365f0311e7f88b7523

SHA1
499039bccb5a76655b577a7ec00187cee9365894

SHA256
6eb7f9a6253ae3a70f8763e3017539d1b048ddc2ee6d850b306a2af3e1e27736

SHA512
7ed1e3e6f4c247ef87f4186ca611dae675e4cb4d36cfdf10f77fd10b1472d59980e3f959b27464c6508c95a14208f3e65b80ceac11e6f6b36f032728cf735b15

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
26c8b8017b186d2e52034d4e866c4113

SHA1
d3487b8dd3317e530246cad9de731384af781c70

SHA256
5c8a77b9d4b3a639810fa3aa295339050233f003c4306dac507d4a52f85df9b6

SHA512
92c03e72aa26792c873e295cd0171ec9d41518bcbb60970c28c086d887c4a6eb99520f0e84f42f9fe8285c10ab9353075cbc42627840bac2bb532865ff431be4

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
a606ff786ac14e4469a2230da63057b3

SHA1
6e5c984add07c690d4b7265761d0e36b8432c238

SHA256
f1bf4a821dc149db730f5bbe1359fed0d1355f57ebe826536659b06b3e0f11dc

SHA512
56e13b44768c4825e7be0fbbfa5a1fecf071f3e663e33870fbc3d58b8cb343751a506806fce3111c6cf477d0cdbf1ce89b6c4f909c44108427d1c31239306736

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
4c6bb018a272d4446d75a7c512f0199a

SHA1
02a21ad6db4b8aeb22bc70ae504919184e693c7f

SHA256
a061b444ecc9a3f4988d91fc9915e5bdf5c54a37937a063841d0e0ace91d6d74

SHA512
2f8cc014f268ab375cc7d000a3adc3d748ba6d5741305ba7a82476d18df556f77558a36bd7fbbfb0380c9fd28ac3ff739dd63616b4eca82b6b6c392297778190

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
3d2597a787c1856beea7da79eb915b52

SHA1
d042c34241b411203497ad8aedbb6819c0dac1ef

SHA256
eb222df9891af6eb99d152f7ec4d0ed9aff8e959fd533470bcc1593165fa65ac

SHA512
6ae1012f148c8826570e502fbbfcd9c3cd61f982b8d43fff4f6b2f4268bdeff1f1602f0aea2062482e2a04337405a61fc23b718a45176ec449a8a65495aa4486

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
4d1967b1432bab8ee1467007150de3bb

SHA1
eafaf21b508c05b59f19b70c8b5ca113c13ae33a

SHA256
93fe80f793d82f6a8e7f3fe1e43a5e2b6a21a1cef7cf25b26d978cdd76db7afa

SHA512
d977e82eaba03e11763409d7bf06e60943d7d360c6a1eef6b6ba527d11e0492b3b09d148b67051a683f74b0701502a72c1ddec0c78c2944e2a1a1f2e4830f318

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
0b5c5eeaffa9c69776fe493db13badee

SHA1
f087cdb2a6137dc3779d010fac06ef9d03d1d885

SHA256
4a88b7703d424cf6c42d788fb8c941d004cbe93ac0a2387a5b545738945e748d

SHA512
48f97383f8ab1f36a14bba019b429464fb02067e0fa7759708b0fc56628113d36c84526f4a6ee0cc964efb180b71964a239852a33a802c99cccf28f156904bd1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
cd6174b299c66881ce0966beb28553fb

SHA1
8db71616b64309558e5422b4a8e01861952e33f7

SHA256
152641183d55d10c557ff07e74fde2d1babe9a4e64dcbfc6850c15b62d985ee7

SHA512
051f445657ae8f4d3ef4dd51c7d220a607424c5c14c19a370d8da41cf94a14699a8b042627706ef07d76b57029f83a02c42d3dd49f0fa85f830425ca794e0849

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
30a437774df0fb19048d02f22875a8bd

SHA1
6312c688e2e99ed2fd4e484bbe9985bef4db5fd1

SHA256
50b925af29c062c092368534296c3cdbc734f09bb07126e4f54ef8a6aaae98dc

SHA512
9b329283b8b2478d189ccfc6d42b4a546aa81b168047901347beb9257378f8749f9e9f84b67b10b62b7555ac360792ee832d4eb3cce7201759046bc58c253095

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
1fadf782fb9ed58252ef85297a3b307b

SHA1
46c6e3610922f7e3bfcd05d1645d15db1b2318f6

SHA256
2bebf0424695882a1d7881f9113e91dba46414e4826a643b5b990b562d5191d4

SHA512
d513169b82b0e1b56d2b717c5bca8012d68380e8d9dce034da38d1d42df99ad4f5d552d322ce5abc0fb56d78a76d6bbf3b6f9703fce776a9ef9c5061af26db75

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
95c33cc1969930fefbdb95f99b2a9882

SHA1
cd2cd226b2c6f6de0bb090f9ffadb8e643a23970

SHA256
53b715becb7434a9ec7cebf218a7397d5c30fb50f6d3ac578728024f00ba194e

SHA512
c5992c3d6c1d20ed54d7e8cee2d3ac42d929812b770ae770881b4d09475b23cdd5afb323f401ca81bee5566f09638581f8e86b717bfdaf11596e7398978070d6

Download Submit
memory/740-314-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/756-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/756-58-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/756-104-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/756-52-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/848-325-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1064-430-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1064-73-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1064-67-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1064-66-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1156-315-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/2156-322-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/2268-317-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2408-95-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2408-77-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2408-83-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2408-655-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2424-552-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2424-11-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2424-17-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2424-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2432-626-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/2432-25-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2432-35-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/2432-36-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2488-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2964-323-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/3028-657-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3028-329-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3164-324-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3376-327-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3516-320-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3688-656-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3688-328-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4072-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4072-6-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/4072-38-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4072-21-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/4072-0-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/4180-316-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/4600-321-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4736-101-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4736-87-0x0000000001AB0000-0x0000000001B10000-memory.dmp

Filesize
384KB

Download
memory/4736-96-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4768-318-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4896-42-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4896-61-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/4896-48-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/5100-609-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5100-319-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5572-537-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5572-604-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5632-571-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5632-757-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5768-755-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5768-554-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5860-591-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5860-569-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download