ea163e77f5e7dc501f87fa0a7c02606a33a844235e4198e2151f4d41d8fda6e8

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 23:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
Size

5.5MB
MD5

9842b88c6c61b7c29c55277e9a91d19f
SHA1

6c6a1527f1b32068ade13b96a2941c40bd3de911
SHA256

ea163e77f5e7dc501f87fa0a7c02606a33a844235e4198e2151f4d41d8fda6e8
SHA512

94643a6b7174fbe5713a64b887969592c22a8f1ec8eb07ab070ed03bca782710cd3b16c31f0441375eae40df6b473f8cd3c0939efd4c553805c289c3556811e3
SSDEEP

49152:gEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfv:uAI5pAdVJn9tbnR1VgBVmwTjYvH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2368	alg.exe
2336	DiagnosticsHub.StandardCollector.Service.exe
3764	fxssvc.exe
2240	elevation_service.exe
3892	elevation_service.exe
2148	maintenanceservice.exe
1504	msdtc.exe
3656	OSE.EXE
4676	PerceptionSimulationService.exe
4880	perfhost.exe
4988	locator.exe
3280	SensorDataService.exe
2128	snmptrap.exe
2468	spectrum.exe
4052	ssh-agent.exe
5000	TieringEngineService.exe
1400	AgentService.exe
4828	vds.exe
2768	vssvc.exe
3108	wbengine.exe
4504	WmiApSrv.exe
1776	SearchIndexer.exe
6136	chrmstp.exe
2252	chrmstp.exe
5272	chrmstp.exe
5312	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\915e7c2ac3136770.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaws.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005afebf9534aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006a88c99534aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d694589634aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b1d1349634aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610679778627703"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4012	chrome.exe
4012	chrome.exe
4012	chrome.exe
4012	chrome.exe
4244	chrome.exe
4244	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4012	chrome.exe
4012	chrome.exe
4012	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3688	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
Token: SeTakeOwnershipPrivilege	5096	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
Token: SeAuditPrivilege	3764	fxssvc.exe
Token: SeRestorePrivilege	5000	TieringEngineService.exe
Token: SeManageVolumePrivilege	5000	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1400	AgentService.exe
Token: SeBackupPrivilege	2768	vssvc.exe
Token: SeRestorePrivilege	2768	vssvc.exe
Token: SeAuditPrivilege	2768	vssvc.exe
Token: SeBackupPrivilege	3108	wbengine.exe
Token: SeRestorePrivilege	3108	wbengine.exe
Token: SeSecurityPrivilege	3108	wbengine.exe
Token: SeShutdownPrivilege	4012	chrome.exe
Token: SeCreatePagefilePrivilege	4012	chrome.exe
Token: SeShutdownPrivilege	4012	chrome.exe
Token: SeCreatePagefilePrivilege	4012	chrome.exe
Token: 33	1776	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeShutdownPrivilege	4012	chrome.exe
Token: SeCreatePagefilePrivilege	4012	chrome.exe
Token: SeShutdownPrivilege	4012	chrome.exe
Token: SeCreatePagefilePrivilege	4012	chrome.exe
Token: SeShutdownPrivilege	4012	chrome.exe
Token: SeCreatePagefilePrivilege	4012	chrome.exe
Token: SeShutdownPrivilege	4012	chrome.exe
Token: SeCreatePagefilePrivilege	4012	chrome.exe
Token: SeShutdownPrivilege	4012	chrome.exe
Token: SeCreatePagefilePrivilege	4012	chrome.exe
Token: SeShutdownPrivilege	4012	chrome.exe
Token: SeCreatePagefilePrivilege	4012	chrome.exe
Token: SeShutdownPrivilege	4012	chrome.exe
Token: SeCreatePagefilePrivilege	4012	chrome.exe
Token: SeShutdownPrivilege	4012	chrome.exe
Token: SeCreatePagefilePrivilege	4012	chrome.exe
Token: SeShutdownPrivilege	4012	chrome.exe
Token: SeCreatePagefilePrivilege	4012	chrome.exe
Token: SeShutdownPrivilege	4012	chrome.exe
Token: SeCreatePagefilePrivilege	4012	chrome.exe
Token: SeShutdownPrivilege	4012	chrome.exe
Token: SeCreatePagefilePrivilege	4012	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4012	chrome.exe
4012	chrome.exe
4012	chrome.exe
5272	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 5096	3688	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe	83
PID 3688 wrote to memory of 5096	3688	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe	83
PID 3688 wrote to memory of 4012	3688	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe	84
PID 3688 wrote to memory of 4012	3688	2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe	84
PID 4012 wrote to memory of 4072	4012	chrome.exe	85
PID 4012 wrote to memory of 4072	4012	chrome.exe	85
PID 4012 wrote to memory of 4120	4012	chrome.exe	110
PID 4012 wrote to memory of 4120	4012	chrome.exe	110
PID 4012 wrote to memory of 4120	4012	chrome.exe	110
PID 4012 wrote to memory of 4120	4012	chrome.exe	110
PID 4012 wrote to memory of 4120	4012	chrome.exe	110
PID 4012 wrote to memory of 4120	4012	chrome.exe	110
PID 4012 wrote to memory of 4120	4012	chrome.exe	110
PID 4012 wrote to memory of 4120	4012	chrome.exe	110
PID 4012 wrote to memory of 4120	4012	chrome.exe	110
PID 4012 wrote to memory of 4120	4012	chrome.exe	110
PID 4012 wrote to memory of 4120	4012	chrome.exe	110
PID 4012 wrote to memory of 4120	4012	chrome.exe	110
PID 4012 wrote to memory of 4120	4012	chrome.exe	110
PID 4012 wrote to memory of 4120	4012	chrome.exe	110
PID 4012 wrote to memory of 4120	4012	chrome.exe	110
PID 4012 wrote to memory of 4120	4012	chrome.exe	110
PID 4012 wrote to memory of 4120	4012	chrome.exe	110
PID 4012 wrote to memory of 4120	4012	chrome.exe	110
PID 4012 wrote to memory of 4120	4012	chrome.exe	110
PID 4012 wrote to memory of 4120	4012	chrome.exe	110
PID 4012 wrote to memory of 4120	4012	chrome.exe	110
PID 4012 wrote to memory of 4120	4012	chrome.exe	110
PID 4012 wrote to memory of 4120	4012	chrome.exe	110
PID 4012 wrote to memory of 4120	4012	chrome.exe	110
PID 4012 wrote to memory of 4120	4012	chrome.exe	110
PID 4012 wrote to memory of 4120	4012	chrome.exe	110
PID 4012 wrote to memory of 4120	4012	chrome.exe	110
PID 4012 wrote to memory of 4120	4012	chrome.exe	110
PID 4012 wrote to memory of 4120	4012	chrome.exe	110
PID 4012 wrote to memory of 4120	4012	chrome.exe	110
PID 4012 wrote to memory of 4120	4012	chrome.exe	110
PID 4012 wrote to memory of 4960	4012	chrome.exe	111
PID 4012 wrote to memory of 4960	4012	chrome.exe	111
PID 4012 wrote to memory of 4136	4012	chrome.exe	112
PID 4012 wrote to memory of 4136	4012	chrome.exe	112
PID 4012 wrote to memory of 4136	4012	chrome.exe	112
PID 4012 wrote to memory of 4136	4012	chrome.exe	112
PID 4012 wrote to memory of 4136	4012	chrome.exe	112
PID 4012 wrote to memory of 4136	4012	chrome.exe	112
PID 4012 wrote to memory of 4136	4012	chrome.exe	112
PID 4012 wrote to memory of 4136	4012	chrome.exe	112
PID 4012 wrote to memory of 4136	4012	chrome.exe	112
PID 4012 wrote to memory of 4136	4012	chrome.exe	112
PID 4012 wrote to memory of 4136	4012	chrome.exe	112
PID 4012 wrote to memory of 4136	4012	chrome.exe	112
PID 4012 wrote to memory of 4136	4012	chrome.exe	112
PID 4012 wrote to memory of 4136	4012	chrome.exe	112
PID 4012 wrote to memory of 4136	4012	chrome.exe	112
PID 4012 wrote to memory of 4136	4012	chrome.exe	112
PID 4012 wrote to memory of 4136	4012	chrome.exe	112
PID 4012 wrote to memory of 4136	4012	chrome.exe	112
PID 4012 wrote to memory of 4136	4012	chrome.exe	112
PID 4012 wrote to memory of 4136	4012	chrome.exe	112
PID 4012 wrote to memory of 4136	4012	chrome.exe	112
PID 4012 wrote to memory of 4136	4012	chrome.exe	112
PID 4012 wrote to memory of 4136	4012	chrome.exe	112
PID 4012 wrote to memory of 4136	4012	chrome.exe	112
PID 4012 wrote to memory of 4136	4012	chrome.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Users\Admin\AppData\Local\Temp\2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-05-24_9842b88c6c61b7c29c55277e9a91d19f_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x26c,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff850fdab58,0x7ff850fdab68,0x7ff850fdab78
    3⤵
    PID:4072
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1932,i,16396105999128241284,9399041440128173493,131072 /prefetch:2
    3⤵
    PID:4120
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1932,i,16396105999128241284,9399041440128173493,131072 /prefetch:8
    3⤵
    PID:4960
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2172 --field-trial-handle=1932,i,16396105999128241284,9399041440128173493,131072 /prefetch:8
    3⤵
    PID:4136
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1932,i,16396105999128241284,9399041440128173493,131072 /prefetch:1
    3⤵
    PID:4092
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1932,i,16396105999128241284,9399041440128173493,131072 /prefetch:1
    3⤵
    PID:4380
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4340 --field-trial-handle=1932,i,16396105999128241284,9399041440128173493,131072 /prefetch:1
    3⤵
    PID:5472
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4424 --field-trial-handle=1932,i,16396105999128241284,9399041440128173493,131072 /prefetch:8
    3⤵
    PID:5716
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4572 --field-trial-handle=1932,i,16396105999128241284,9399041440128173493,131072 /prefetch:8
    3⤵
    PID:5768
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4424 --field-trial-handle=1932,i,16396105999128241284,9399041440128173493,131072 /prefetch:8
    3⤵
    PID:5760
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3616 --field-trial-handle=1932,i,16396105999128241284,9399041440128173493,131072 /prefetch:8
    3⤵
    PID:5968
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:6136
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:2252
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5272
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x294,0x298,0x29c,0x268,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5312
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 --field-trial-handle=1932,i,16396105999128241284,9399041440128173493,131072 /prefetch:8
    3⤵
    PID:5324
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 --field-trial-handle=1932,i,16396105999128241284,9399041440128173493,131072 /prefetch:8
    3⤵
    PID:6892
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 --field-trial-handle=1932,i,16396105999128241284,9399041440128173493,131072 /prefetch:8
    3⤵
    PID:6900
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4904 --field-trial-handle=1932,i,16396105999128241284,9399041440128173493,131072 /prefetch:8
    3⤵
    PID:6992
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4952 --field-trial-handle=1932,i,16396105999128241284,9399041440128173493,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4244

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2368

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2336

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3376

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3764

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2240

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3892

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2148

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1504

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3656

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4676

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4880

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4988

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3280

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2128

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2468

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:828

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4828

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3108

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4504

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1776
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5432
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
16b5c21cc6e5178c8ca92b115e1a8a7c

SHA1
783f93e56951bd32fd8962ce61eb71c9707e8607

SHA256
f21f697c6d5151c2b753b819a3caa9aa04ca88b805033d6313f4144fbce7265c

SHA512
d72eccef6adf0a447db437af9d2b377f329fda68b4bfd5b349032f0586130bc6013966c7958565616690ad9764d4bdfc8f96c269bdfd68ec5b63523332fb8b55

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
7f41ed2fd32f3f7363b02f12cd5a3c5d

SHA1
47d49e4c3ce69fa8607253de3e98a00733e46229

SHA256
295d7a09a67f24df2c26e1868e058bab137715c102fcfaecca2edc5bce8b08a6

SHA512
213a12a7b7287983a505035b12835431f026d48f65ff0e8d61f78bdd9585072828bc79dfefe0294bb63d878b6a8c35e60bbea3ce78466d3012588eb94593bf45

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
49a2399867513680cdcc45a9057868d0

SHA1
15b2d192b5604f7edd39316794f482c4ed131c40

SHA256
09d7b920a3a6aa30f0ee47768e43887be47911c02d67f83155dace0e58c84c6d

SHA512
53fb4fe2721b69a3b6373ef9e02ce092bede3ff65cddf91edfe0b858aeac681ca24062e46ea538a633965644dd831052a2af51c02066002edb29118461ae13ee

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
1ddbfbbd411b9c1a6064eb7ce083fc1d

SHA1
cca2358b27e1d5f0f64bc88d724c06e4c381825d

SHA256
1f1208387f3090efe7631c059c8c360467158d99dd722a7826f85cd1108ee17e

SHA512
f5a5b892af963a10cf2857b25aae51542aba6cf65cc3637d76735697d6db9184912bdff2b842a3ff5dd48e0c9e7ae4a00c59ea38c2d01e4d770e802e88716f37

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
b1f1cb1d56489d188e854449c8430774

SHA1
e68903e6e98ede3611dea8a13c081aff7a1d0178

SHA256
7315c3ebafc1734479698c72d63e9198286b082b51120472863e22a9f4e6039d

SHA512
2c52229863d86d748050b90103d6c6b253899713c2c4d418ac3a6d5d78cfb054255e8bcc4743c1c7ccce1d9554f04af90003c2219c6a30592711e285d5ca7a4b

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\429d2ca8-615d-4b08-adcb-eb8d5c658e03.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
757f9692a70d6d6f226ba652bbcffe53

SHA1
771e76fc92d2bf676b3c8e3459ab1a2a1257ff5b

SHA256
d0c09cff1833071e93cda9a4b8141a154dba5964db2c6d773ea98625860d13ad

SHA512
79580dd7eb264967e0f97d0676ba2fcf0c99943681cad40e657e8e246df1b956f6daeb4585c5913ca3a93fdfd768933730a9a97a9018efa33c829ab1dea7a150

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e93360fc1f08beacb875e401a4d674d0

SHA1
ccd784c544947b627092a58252aeb3b467a841de

SHA256
997623ffc58f042825fdfb13e9b6a488abbfb6ad6bdc9d0a6d63ea20238851a4

SHA512
9c1efe16501094c6f268abab3aef7d339ae7db8c6c9156cc85064f4781998a2b6ca61d411fd2bb7f0b1fa93d1b0da0cd29435e11ffe5f0bea2ab2e191fd03315

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
099b8e83b58c07ddf913c5a5a649cc89

SHA1
380a49167e9baa546717c516b31a2ebc5ac3792c

SHA256
4f452828d9fd37d56a45611581eea7d530dde8ab4b348c61b296bd402d4fe275

SHA512
31f2d39a36b499142ab80934c52a9b00d8e6e76d91547085e2865ce61b020105c0f3a92510705755c17b389ccde6c0f38b2546f2e67457ec3d81c102a759a574

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
dd046d37f114076d7e06cf6feac1f8ee

SHA1
bea03f50a33baf1d634d3fa1bf60015a217c2346

SHA256
7e2d1262de8409dc38c300c72368012aa7b74d6c095d927d9ce2112383497142

SHA512
a7e910afc68065c29779a113ba2efb82b82a27e9b2c07096f11eebaf0595003bc92ab6f271344ab05dcc144be70a3632343e0b6b6f901acd60c0534b4c41df61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57787c.TMP

Filesize
2KB

MD5
6c38709f2b92b4197d45f6df3df81cb9

SHA1
92d1adb3512f085dba8c03ea68d926704ebbbda3

SHA256
d5bb9e1c53b6d6dd67dcfdf3963d7d8b0dd3094ce6a86851e8b8ab7d3d6f235a

SHA512
3cc01f22a75c283dd55a4fc9b02211776bc1246ae7787ffeee21a25d0ea8ddaafbb70cbe8d0976356fcff59c9be8e9c178c15264d2a44df3653bb1e03fe41bf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
5323b257254ba0c83332e19a21481d7a

SHA1
1b537c0bee494813435527c3efb97cfa4f553bd7

SHA256
4202dd9ee0d0e7867a514701a72e30d7073c39393b293dd6003e084216916e3d

SHA512
e9ca5d221f8050945d20fb25add5fb2ff5bb8f5e0c55282f8f4021163f716d6f01d953fa0f28d99dfd33548b2e55725df338cff6df356b04ec48a5bd97ecdd53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
5d6489aaa9decb4318d6f268dbb67de7

SHA1
16796ee12d17b437a5a5826a373b9e7052660eda

SHA256
b8eb50bfc9cfd2d12c2ff6c75bc0fafdd6a668be78b6dd653d411421016459e8

SHA512
6e2b1df6f7d0b41fe650022b3759b48e3c8ff10dac4e010df76a93b8c1887ab804ff58dce32314d4d8048a27e0e5418697140dd8a095f0269046ebc116341ff5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
262KB

MD5
23f6a6bd832a26c0c08ca9a8a10092f0

SHA1
34b2f1de59bd8d8e00c43492e2b2de116ce2b600

SHA256
7c6e95e1787b3781837f152c2be80bdacf120ca512af6c6673151cd9495d3c9a

SHA512
bb6a28f050011bc6cca53e681bd1786b41256fd9372cd05d2107f8e722e716e58f2925cdaba2af421c8440c0f6f4d4f9665402531dbf01f9d32d6bca5760ad43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
262KB

MD5
455eb13f1656faa79409be2ad64f6f74

SHA1
7a3690eb4df9a9aaf1ad108de22c205b6f6fe4c2

SHA256
9c6e1c9dc1537215aebb1ff3736393ea403e59b7ee6795bd6b93c1fad6c32eb8

SHA512
ff5b6161ed4cf6e7c24ac8fa486c44093a49a14baff5cc49c0283ace0899735377654c96ecd21c12edb6eae2fc38618dbe56d05e21623cfff08f8dd59f8aa2c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
282KB

MD5
a2c7e51eeea4d3b164f18eacaa29ff3d

SHA1
43f98b8869690ba72f87be121f0ddfafbd7c7172

SHA256
a1e38b72b4d39bcb27e2a67ca5dfab8f75e91c7a3e788e9a39ce721d53da0606

SHA512
306036cd019bee3bfaf5972bbcf2b2e998849fbdf67a8d79f34964836d00c502454dee2d037b10f5cf3eb61057b491265ef32b39be6145c5a5b1cb8e6f895764

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
91KB

MD5
dda44e04acb19f3b93648ac9604de0c8

SHA1
981a6fd50e70196f551515d9b43f056509bae618

SHA256
afed714d0f4daad9dc3bcf3e8e9e30f9e4ab5cf09a406df2528d2c5eb942bc35

SHA512
ede724f3e1bffa838195545d29dbe4855005d3bd6dd88cd6c9e5af50d132f714136df50aa1257d58f30ef818aa76c7a1bb5dd5aa0c136cf5a071a73becf0b6d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57edea.TMP

Filesize
88KB

MD5
69ba1f53faa808f2f0aa286e76a165b1

SHA1
38fdec1cf698c40fa2a8b2b92a4dbaac60a5891d

SHA256
28e22757b770db8d9f3b582f37322729db50e922578c8d05e1a460cd3506b7e1

SHA512
90855d6d9f88372a4de4c8eeecb5fdbc5b447f84ddd22430afefc5429c2711cdc50cfeaa310ff3238d68b5ca1c4be71e9ce806055b62d7c5f68ab2a2eb6e34d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
28fd086b9941b52daf62bdf9f613bf45

SHA1
ee6b1d42a1cdb97884c4d9452acba171fd523be3

SHA256
1f016c780f2fcacf566991542270113bcd22cc286d72d3713fa3e0147187dfaf

SHA512
a5fe07d6e146c36416f9e0f7bfeda50908ef20683a6f2e9ff23feed7826ce24c323893960e9b7efea0ee54d225c27f77950df1d3f3232f29653bba7ee017602d

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
980a79c3d386172caac360da2b52f508

SHA1
1d2d524eecb92e0fdbbe1a168924321d043a859c

SHA256
301e8171bd2bb77cf59b61a15dbe51b3fe7dc6f21f7c59018bcbf500de2efcb0

SHA512
6d3bc0ae8f01dc2d18346e0977eb907c3b40932a705d540611700d33ada5c6cbb2e144862829ce0863f5763c2180eed7d0505ba4ba6923378abcc0eae9703b25

Download Submit
C:\Users\Admin\AppData\Roaming\915e7c2ac3136770.bin

Filesize
12KB

MD5
8f362b380f9e38010605ce0b4080acb8

SHA1
ad180154d32edf9daf71da9c554d6860dd9a1697

SHA256
32733dbb36ff7befaa1fada713bb61a45708176026a73117188ec116b6b91ccd

SHA512
1afe6ab72920e89a4857214e97e7d8dd3618d98f0dc9facf6cdba50a6be1997607ed982b31d7527a759d646e853934cd9f6c09819b136148b1732a6fd8b4ef90

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
273ae633f2366361481ce717ad465c22

SHA1
34938f2a5a802708659602bc5ea51603b0f00025

SHA256
0d8495fa361acabfb4a7552945b25a996938da146387fd54d02d9f95e49eaa89

SHA512
d4b5d03f70cf1d4755d9dbb1385d87e30033b29ff4c342b03ff223bc2f484a740cb79115e9cd7069a067a521090d21cebbc2e32837daecbd9ad442194006b473

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ad84ee1aeac3e752c8253efda86edda6

SHA1
62f4e7867271a111e4278424ff1320ec4194c9e0

SHA256
ee7c1eb1fcf792fc5a68d700a7aa62edf007dc24e17b657d6e63fc4b678c3328

SHA512
92bd72117c892c7912d7a6df0eba12f64ac560e9e2361583f084c53a0d503b0814035305ebcd1f501f1449fb6c9b5d0331de8c65e8257332389c1811bc675bb7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
92a20f386413d602b7ee931eb1e72fbd

SHA1
5fd835768f2ee5c2f013f07a3aaec7467a675fd0

SHA256
7289757fc59ef6e9b5a1f05ac6951e1407e02c7c251284c6619d2082553f2286

SHA512
54c46496d53521ac8ed7901b749fba663a09ace22cb62537e06c820fcf2b10be711b9a3c873247beff83d0b9782ab0f8104ad275b230e74cdc21fcd4c3e85fad

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
07fc562b4d18abfddaa648a5fe221284

SHA1
36895d646933946b21af9fbef206572d9ee92632

SHA256
50eef8fe8e7c4a87859aa31ec817972ae321b247206bb84050e07439953bc5a6

SHA512
93107ffb4f52f7d5acdb1f45d2e6e2c568e72635a381086c0977965cffe6e4b3171de59e75555ab15c02d1c861baa9140a2cb171125cdc430b35da40536e91f8

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
8ffd3f67dcc97786188e6610a97386dc

SHA1
4c91fce412afd6592c4762ad336e41e5ff045c19

SHA256
5e637a240d0ad6cfd7e2412419d475c2538485dd3a75beedd2d3c3e1da2433fc

SHA512
5fa4dd5c2641474c8df989c339a7694f65034513c521fe025977c304a16f1d34ae2bf51a9dd09a1e9e9d9c10765e5d01ec0242d2f3537ade74303c067148c966

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
2000d9c2c270c362e4d106405cca3b1d

SHA1
0f5913875767e4527cf765614953a9cf36c0f312

SHA256
1eaf9bb3f2980adb33a4efe53a10564c7c4cf08404e012fe9a1ff720f4349df8

SHA512
d5a88a364959fa6a76ee79855cc9273f401ff899af1b129f5308a67c10415b950072346e66f538bdab4e07994aca9475d7ccf9c0d9c886c5ee008db839c62433

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
be930f489a063bdbfb29b5d728ea7110

SHA1
b6544849074dcf5e1b314500da0fc7c7bb68165f

SHA256
b513be288248e697d007affd5af71720d6f5d03c1aa891ffe92a7ea405864ca0

SHA512
39f750b0ca2b2602f5de46e78139042cea737d312de6939973f816ef091ef2267342222574f7d4e22399d0497ced1e5bffd20231b1bdb387fdfb4cbdc5b3c5e6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8d59ba94a564843645a7f58ff9711d14

SHA1
0741dfb9b3aad131f8fc15827f9380e0d7f289a8

SHA256
6435393d3c249e8f2f68b4004ada1a242e8485f1ce90cfad91f25f2edeb9224d

SHA512
97de52cb84806afeec1abae21d2c0375a8ee78fa4da909bd5a429eec06a21ac1d9fffb8f9bbbb189dbd3e28d2874352d0c6fb0401953eb47e383991c03e4958a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ede4960ee1b41e1c69cd55f4b8c2c710

SHA1
eef9f7ee41117aad6d50834823b0b2cf5c353f45

SHA256
52f79f9ffb2aa6b86fb20357f980cb25b5b6e1edf885a7bb39fa400330ea497d

SHA512
50f36aedf3889cb2af1026dec0cb4c399932ad98ea7785c15a2692c9420255abda24020df2c8c4976dd7e28194e42cde9786138d03f9301cb797163ebe4fedbf

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c7790ee35e4827c9195d657e89088cd4

SHA1
77daa24814fb2b332c8f9e5c208d8ec66c867e5f

SHA256
220f97d37a1d946140836d5b4f9715cf5412cc5ccb4d98379e2a68a62f069c0b

SHA512
1daf1ff52292400e955f09006471908e006ab9bdd63eb91988ca2b2413f23a0794e03228f3cef2a1641ba718900f35b6bca7583066785849510a5b30b582a7ae

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
43cf3253d0103fece95aa4ae09e53f7e

SHA1
9122ec6d01d665fbc5f9367a77f1c0351704741e

SHA256
9907c9f63e4d7c70eb88d259f64ae8f92cde8c2831ac7e219aea7a167038d8b5

SHA512
f29ba720d07a2c5ebca3b1028ec7915c23410a3a97f07f7d8d840071cd836ecd54849123b43e6d3cfaa8281d9c279ead4c0b03905f717e6e5a2b020dd8bf9e52

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
748c018cc32e5e08c1d400dae83c6f78

SHA1
6c8bbb3e55fb3c2cb668728b28d730a1a71c0718

SHA256
8d4a36e97211fbe0a43805dac1cecfae84823b029eebda196df815ecc2a39686

SHA512
d1cf805b2ad24795e19409b7bb708993cefa2cb5bfe3788b7e68ac97004273551db2b4cf77a8a3cb964ad4fd1fa6cca48ded0c88c7dbd53dcc0bd252ea787c79

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
e4850563c4a0611ceded2937d31bcb36

SHA1
de9e9e59c3f69627d0a60cfa95b197e7488bba13

SHA256
192296ce9862d50feab2e847453b8f04241c0206bbf6189d89bb104f3a5a6b51

SHA512
3eb41773985fafc01177225f225e4918a8c3d60aa1c0db4d3c1d8659144b2f28340aa126e6885f1c1844ec134dd2b0d51bec52bd97aa1f5dcb800ad58633f5ee

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
e9b8b5f1171e89278eba0ccbd7b9d72f

SHA1
53c0bb3d38d4100ccea1f4772c823aeaf6f48022

SHA256
9e493ff60572f9f0197a34c1a6093ba635ef0f63fbb3e17f60343400cb33d7c5

SHA512
a00b8b570a42efeac860ac2177973b13899dfd3133f453f0cca23ff58daf647245f1bdfa02c205f4bc47c54d4619d713d25a55c2fa9e572117a8bf719a4bdd3f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
dd384704ccd16236ee6451ed1b47a154

SHA1
140562a2caa3d6f46cc6cd57d8736772ad679faf

SHA256
dc17b0fb97845ed7f907da5f1d577537c411ba8214ca124d80695fb107592ca4

SHA512
a16a095bc4f90302b7970a26e39c72293b280da6dd46827bdfbb71910fc45ddabef9b02b6bf5aa6466338439b12383e96fdb130eee0411e2eec260bc5745edf4

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
55ce9a1dc84250b945f7dfaf63efdaca

SHA1
dd5ae621c47f3c54d611b04aa2e88fcac82e3dd8

SHA256
18c72de45bd6e0f8213a375507d64e4de00cc601fdb63bb897570ca32d1c010b

SHA512
830bc12179a7e9bdcf91970416390448ab664d5d95d5e21e9128773f5d7339a605d555b47bbc334001bd400b59a1d482bba320656b851af4252656d1095cfd46

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
844c3e9d8389e5fac2e7137219e22642

SHA1
4f008ca6fb7c3402f230e786e91c17d47cb9eb1a

SHA256
b72024873331049a7db2897661701a540ffa7d248170dacddf34681391141bc7

SHA512
2362cb5c8306da0d1730395230b0bf1f924d3ebdf1ffb6d687ffb6dc405a627195934c57b762e147a0ac4d2b11f71bb2eab5201aefd042b3e5361077c099b211

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
269fc8bd32a26163d375da0ae82b09dd

SHA1
1463a8ddcacfa59127a4126a7cfaf2d9b498ae4c

SHA256
9e3c9c806359148a6101b638839b783c12295e12dcd30ea21f89b7c23e33301b

SHA512
4fa56a085c0b504ec45ca6efc3c47857099af6708889a128c70f4f5b601e08ff1af138e6d356f1a65afa0a0c3ceeb1162d14adc4746079d80a07e736c6cca7cb

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
8323eb783d4b3475bc1107f7b22fe30a

SHA1
8b61ba2d4ceddcce64913e45b0b3aaedba641153

SHA256
b04e4a8229ad76f418899a184586a34f1da04653efdd8f0386b76fe7282bd7c4

SHA512
a6e5fa59549dd9f848741b7c5e0e99e3efd1ac639e61a1a430fe7a62e6f13bf625fc22d619b29e9319f0bddd46eda6bd61057d4afcde7c846a72bf6e4ef79972

Download Submit
memory/1400-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1504-236-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1776-306-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1776-786-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2128-245-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2148-90-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/2148-105-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2240-316-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2240-237-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2240-70-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/2240-76-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/2252-787-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2252-551-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2336-52-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2336-53-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2336-42-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2368-33-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2368-50-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2368-51-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2368-625-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2468-246-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2768-780-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2768-250-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3108-264-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3280-244-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3280-606-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3656-240-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3688-23-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3688-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3688-29-0x00007FF85E1C0000-0x00007FF85E26D000-memory.dmp

Filesize
692KB

Download
memory/3688-6-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3688-19-0x00007FF85E1C0000-0x00007FF85E26D000-memory.dmp

Filesize
692KB

Download
memory/3688-10-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3688-28-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3764-65-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/3764-68-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3764-102-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3764-59-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/3892-80-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3892-239-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3892-86-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4052-247-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4504-785-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4504-265-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4676-241-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4828-249-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4880-242-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4988-243-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5000-248-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5096-575-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5096-21-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5096-18-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/5096-11-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/5096-22-0x00007FF85E1C0000-0x00007FF85E26D000-memory.dmp

Filesize
692KB

Download
memory/5272-590-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5272-564-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5312-794-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5312-578-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6136-601-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6136-538-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download