8bbf5b4d286a899fde506968c361871e8495ee1069edf3392fcff32352b38243

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 14:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
Size

5.5MB
MD5

c2913a07299e42728e031c0f972a5e9f
SHA1

f442d2dc65d0de52700c9b6ec09cf7fa755ccc6d
SHA256

8bbf5b4d286a899fde506968c361871e8495ee1069edf3392fcff32352b38243
SHA512

8933ea5d0221d2fb56574ee78ed810404b4f174763e396b58d63a0d27c8f456eee23fb1f2e37bb7cf37f4fb84799b2a9f3d35c8ec822cd2efcd0f08838fc99ea
SSDEEP

98304:eAI5pAdVJn9tbnR1VgBVmxU7dG1yfpVBlH:eAsCh7XYEUoiPBx

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
3768	alg.exe
4996	DiagnosticsHub.StandardCollector.Service.exe
2444	fxssvc.exe
4732	elevation_service.exe
2916	elevation_service.exe
1716	maintenanceservice.exe
452	msdtc.exe
4660	OSE.EXE
432	PerceptionSimulationService.exe
3796	perfhost.exe
3504	locator.exe
3440	SensorDataService.exe
4708	snmptrap.exe
552	spectrum.exe
4128	ssh-agent.exe
3108	TieringEngineService.exe
4696	AgentService.exe
2704	vds.exe
2084	vssvc.exe
4004	wbengine.exe
5188	WmiApSrv.exe
5304	SearchIndexer.exe
5580	chrmstp.exe
5816	chrmstp.exe
5952	chrmstp.exe
6064	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d7aebc424a48edc7.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\javaws.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd92506e43b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009e9f396d43b0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ad643e6d43b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000077f1096d43b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ccc7216d43b0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cc522b6d43b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007d09476e43b0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4764	chrome.exe
4764	chrome.exe
5656	chrome.exe
5656	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1184	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
Token: SeTakeOwnershipPrivilege	4620	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
Token: SeAuditPrivilege	2444	fxssvc.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeRestorePrivilege	3108	TieringEngineService.exe
Token: SeManageVolumePrivilege	3108	TieringEngineService.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	4696	AgentService.exe
Token: SeBackupPrivilege	2084	vssvc.exe
Token: SeRestorePrivilege	2084	vssvc.exe
Token: SeAuditPrivilege	2084	vssvc.exe
Token: SeBackupPrivilege	4004	wbengine.exe
Token: SeRestorePrivilege	4004	wbengine.exe
Token: SeSecurityPrivilege	4004	wbengine.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: 33	5304	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
5952	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 4620	1184	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe	84
PID 1184 wrote to memory of 4620	1184	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe	84
PID 1184 wrote to memory of 4764	1184	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe	85
PID 1184 wrote to memory of 4764	1184	2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe	85
PID 4764 wrote to memory of 3960	4764	chrome.exe	86
PID 4764 wrote to memory of 3960	4764	chrome.exe	86
PID 4764 wrote to memory of 4392	4764	chrome.exe	99
PID 4764 wrote to memory of 4392	4764	chrome.exe	99
PID 4764 wrote to memory of 4392	4764	chrome.exe	99
PID 4764 wrote to memory of 4392	4764	chrome.exe	99
PID 4764 wrote to memory of 4392	4764	chrome.exe	99
PID 4764 wrote to memory of 4392	4764	chrome.exe	99
PID 4764 wrote to memory of 4392	4764	chrome.exe	99
PID 4764 wrote to memory of 4392	4764	chrome.exe	99
PID 4764 wrote to memory of 4392	4764	chrome.exe	99
PID 4764 wrote to memory of 4392	4764	chrome.exe	99
PID 4764 wrote to memory of 4392	4764	chrome.exe	99
PID 4764 wrote to memory of 4392	4764	chrome.exe	99
PID 4764 wrote to memory of 4392	4764	chrome.exe	99
PID 4764 wrote to memory of 4392	4764	chrome.exe	99
PID 4764 wrote to memory of 4392	4764	chrome.exe	99
PID 4764 wrote to memory of 4392	4764	chrome.exe	99
PID 4764 wrote to memory of 4392	4764	chrome.exe	99
PID 4764 wrote to memory of 4392	4764	chrome.exe	99
PID 4764 wrote to memory of 4392	4764	chrome.exe	99
PID 4764 wrote to memory of 4392	4764	chrome.exe	99
PID 4764 wrote to memory of 4392	4764	chrome.exe	99
PID 4764 wrote to memory of 4392	4764	chrome.exe	99
PID 4764 wrote to memory of 4392	4764	chrome.exe	99
PID 4764 wrote to memory of 4392	4764	chrome.exe	99
PID 4764 wrote to memory of 4392	4764	chrome.exe	99
PID 4764 wrote to memory of 4392	4764	chrome.exe	99
PID 4764 wrote to memory of 4392	4764	chrome.exe	99
PID 4764 wrote to memory of 4392	4764	chrome.exe	99
PID 4764 wrote to memory of 4392	4764	chrome.exe	99
PID 4764 wrote to memory of 4392	4764	chrome.exe	99
PID 4764 wrote to memory of 4392	4764	chrome.exe	99
PID 4764 wrote to memory of 1892	4764	chrome.exe	100
PID 4764 wrote to memory of 1892	4764	chrome.exe	100
PID 4764 wrote to memory of 3124	4764	chrome.exe	101
PID 4764 wrote to memory of 3124	4764	chrome.exe	101
PID 4764 wrote to memory of 3124	4764	chrome.exe	101
PID 4764 wrote to memory of 3124	4764	chrome.exe	101
PID 4764 wrote to memory of 3124	4764	chrome.exe	101
PID 4764 wrote to memory of 3124	4764	chrome.exe	101
PID 4764 wrote to memory of 3124	4764	chrome.exe	101
PID 4764 wrote to memory of 3124	4764	chrome.exe	101
PID 4764 wrote to memory of 3124	4764	chrome.exe	101
PID 4764 wrote to memory of 3124	4764	chrome.exe	101
PID 4764 wrote to memory of 3124	4764	chrome.exe	101
PID 4764 wrote to memory of 3124	4764	chrome.exe	101
PID 4764 wrote to memory of 3124	4764	chrome.exe	101
PID 4764 wrote to memory of 3124	4764	chrome.exe	101
PID 4764 wrote to memory of 3124	4764	chrome.exe	101
PID 4764 wrote to memory of 3124	4764	chrome.exe	101
PID 4764 wrote to memory of 3124	4764	chrome.exe	101
PID 4764 wrote to memory of 3124	4764	chrome.exe	101
PID 4764 wrote to memory of 3124	4764	chrome.exe	101
PID 4764 wrote to memory of 3124	4764	chrome.exe	101
PID 4764 wrote to memory of 3124	4764	chrome.exe	101
PID 4764 wrote to memory of 3124	4764	chrome.exe	101
PID 4764 wrote to memory of 3124	4764	chrome.exe	101
PID 4764 wrote to memory of 3124	4764	chrome.exe	101
PID 4764 wrote to memory of 3124	4764	chrome.exe	101

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Users\Admin\AppData\Local\Temp\2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-05-27_c2913a07299e42728e031c0f972a5e9f_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe7302ab58,0x7ffe7302ab68,0x7ffe7302ab78
    3⤵
    PID:3960
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1924,i,3464423034138102331,13092550740705097882,131072 /prefetch:2
    3⤵
    PID:4392
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1924,i,3464423034138102331,13092550740705097882,131072 /prefetch:8
    3⤵
    PID:1892
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2140 --field-trial-handle=1924,i,3464423034138102331,13092550740705097882,131072 /prefetch:8
    3⤵
    PID:3124
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1924,i,3464423034138102331,13092550740705097882,131072 /prefetch:1
    3⤵
    PID:3328
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3048 --field-trial-handle=1924,i,3464423034138102331,13092550740705097882,131072 /prefetch:1
    3⤵
    PID:2820
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3752 --field-trial-handle=1924,i,3464423034138102331,13092550740705097882,131072 /prefetch:1
    3⤵
    PID:4180
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4484 --field-trial-handle=1924,i,3464423034138102331,13092550740705097882,131072 /prefetch:8
    3⤵
    PID:2792
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4504 --field-trial-handle=1924,i,3464423034138102331,13092550740705097882,131072 /prefetch:8
    3⤵
    PID:464
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4108 --field-trial-handle=1924,i,3464423034138102331,13092550740705097882,131072 /prefetch:8
    3⤵
    PID:4188
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4500 --field-trial-handle=1924,i,3464423034138102331,13092550740705097882,131072 /prefetch:8
    3⤵
    PID:2016
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4748 --field-trial-handle=1924,i,3464423034138102331,13092550740705097882,131072 /prefetch:8
    3⤵
    PID:5832
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 --field-trial-handle=1924,i,3464423034138102331,13092550740705097882,131072 /prefetch:8
    3⤵
    PID:6128
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5580
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5816
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5952
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:6064
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 --field-trial-handle=1924,i,3464423034138102331,13092550740705097882,131072 /prefetch:8
    3⤵
    PID:5556
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1924,i,3464423034138102331,13092550740705097882,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5656

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3768

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4996

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2380

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2444

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4732

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2916

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1716

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:452

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4660

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:432

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3796

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3504

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3440

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4708

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:552

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4732

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3108

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2704

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4004

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5188

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5304
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6056
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
3f214182ebcf10ce6f39a315246901b6

SHA1
9d436eea2534918cd1597c2f3c715b6b461129ee

SHA256
047ea50ca7a1d55bdca94936336005de80160b5915430c332e857aaacd407131

SHA512
c409fa8581abf612b4efd1d01f1c3e9c976dc816352a4925b2766345bedabeb3bd9b2a146afa66cac86f3b72614a778528cc5400930a0b183683dab11c914d6f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
3a7df825880ace712fbb6326af0f20e8

SHA1
f6848032ef1aacfec6862f8e7bc393d50cbed461

SHA256
2b09529213b88c6f81218e5d1f70018cc91f7fc093e77f7727e2cee3b5cbd267

SHA512
b1273b0a4076c9db30caa9eefe70e56644c1a3892b94f5c2d406b080ee4a90b81ef9543cd41f4b49dfeaeae1dc011df69e03529cb153222abf6cf3cdf18b9e77

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
80daea1b77d8cd304ec901b916afc7ed

SHA1
96fba08d7219d9ac435ac5b5e9047439b5d909b3

SHA256
5585e6c83e571de2ef4be7b90200f58049675e552caff7f4a13637406502d435

SHA512
893a1ff098359d34e68ea11155b4c363f25c798e2bae24c2a377cc794226843ce0722d31c75f0bb2f04c298482dbbf1485d17f5b1ea7f88202396045d16d7c76

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
80ffdf6b7079779b053afb956f6cc1c4

SHA1
8ea07c915bd9478b2a0a853df1c13e94e0975dc0

SHA256
7bb981e8ec03b2c6269a3bbf25148d61b610b4ca21ef56f070cb4be9e9de6e05

SHA512
4e85edc0706e1c3bc588efc3cd97d8f6a098a8553d036c6bf97927f54cc4817c067dc064202c7e739de6e79246cb067e3217da99e4dab45e536dc3811dbc9959

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
bc2a47c87d352c7ffdb62c1fcaa76f77

SHA1
9c446fcd1fb029ef8496bb7ac60a0397ea1a1adf

SHA256
3fedd64421ef710ed0d9836e0fe6a021a17045893c6a9267cef893c512688f2d

SHA512
227c808cf9b5aeaa32801da82247609a339b06456e183226c759fa7fb85fe9b2f6e81370b62e2e28821be82c28bd34a513ed1769d0cfabb8125daf847f51d845

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ead5c5b65992ef68cf2eb90edd0f8846

SHA1
e23f95767614ce9830147ec6ba7b0b5ca18a8101

SHA256
be7c1faec23a46d25250554bdeb10d8f49b4fc3176004c914f34cd0c8caa990f

SHA512
043645f254ad57e33e6968a60ad645630ca980de7555b410631fbc597bdee7402e1f4b15e7d522537f01304ca08400fd58a69609a125e7440dfa3f1bb33d1077

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\2b6c89fe-9530-4d27-a618-6b64e6bf69e0.tmp

Filesize
356B

MD5
4bad82432747144e8823bdb9e97b211e

SHA1
4578aa47b07085bbc48a0f31a3da4acc36e455d9

SHA256
2bd9f4e2a8c60a5b692ba35f81301b3e8eebf191ced339932aa0b84c6861ec96

SHA512
e67d617f002be93da435da2d8d108987f0a37f820aca7481f242da084dd88c8d713a5776a14abd83ad644a62ea69beb0a5641742770769b19c6587271a09902e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
3d7f4beb8a24d38892c0859e781dea48

SHA1
c2a2f342149404a3519ec40c7a0ea42172401ec4

SHA256
8c22111fb66fa696c883bc0f639dc18c0f2747a69ed43197cbd441186e8b96b8

SHA512
10ebe5239838f44af220f6336652ba8a036a7534488d119ed568cecbe13fec0f294ed20c7370fc016048a1fe55c64056534195d1c16f5c25cd8f82f8608b670d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
bcd7f7fa434242d8ec0ac9d952b3c5af

SHA1
2b3d214b3731548a5828dcb365ef0e9f68f192ff

SHA256
1f09a70dc11c2c1de8c77a12083d60502ffc58884257f2cbfc73c29a29b1d66b

SHA512
a71c5a7d9a253f2e7e9b56770c692bb5c14e4f5537bfa27dba9d5a6c8f04e4665c38e62c1e29d1b2c5c8f4539d4d5408fff92ef4e6b66c1b4d706374cebc0048

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe575c58.TMP

Filesize
2KB

MD5
056cebe70ead07d8acc38f1ddd50556b

SHA1
906167b4de443ef14bb095ae8f196165c25d17e0

SHA256
bb4c89650137cd1ed35cc2299d77c4b282072dd0e43418272d06a04c82c3733b

SHA512
ba3fc43ac1e418b5c33910a18aa115755a4350b946b3a6589b77361b95f5f109973c3a072b4724ae9590f8ef2cdbe52ad0958be62d7d08ac46fd90dc3de00fe6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
45ad7127ab990decf242a6c9d5c934fb

SHA1
f6535e21e2ca714442a86e13868353774c916faa

SHA256
2c91167898bf549aaff2fe7ee667417122606dd0537a387ef7bf2c1835887bec

SHA512
6932e532eea13d054c0d0f149be01ff87199c7a2d55e2b3959e1d8d41019418ed5a9b4ec221a4f258e7ab20a0b64e15a879fb62ca8db092550601298137cb40e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
faaf0a231bb2b31c39a3c752e6242cf3

SHA1
31b82db4eb50a51ac25976cbefbff40c631853dd

SHA256
1503f50b832d8c0a46c556bcbed0963ac02f65c84e8880312100f58eca8a43d3

SHA512
8f96c7f7183d08ffa06b10962f9aa8cc68790e95ad80e1547f54bab54897d79d0c3aa1da70260b463f73d79f186ac28b653a807cd7aa220700288fc3a1b5f57f

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
55ec0c49c0e01ff903b25b8764af92a3

SHA1
a88a7b5a40ba1fa3c4154b90b2b9eb7e1948e7cd

SHA256
24d08ed143694445f8ac25962ff9631ee3e6b5ce0fc1eb143c1c61b8054f9444

SHA512
94468e592b1da911c7a99383a0648a909f72bd493efc282f61e34f083a07b0832306275bd8ff9915e163facec104541b612cbfdbdec1557cb38b7d71d85b28c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
f9e269f9e1c6a51dc48eea34db468daa

SHA1
a03c995034de34aaf75ab1181276ba9e9946d68c

SHA256
9497c765adafb64f1c1eed770bb4aabfd4c6349dcd23bb457070498a8db2a9b8

SHA512
110be7bb7b55d5fc2d31a0e5c36b70221c4a6bfe7a73fe4e53b6e0df725d4b6578a70c7cbdcc6b1dfc5288e2f5f2e883d265d5b9e94af9b58849c3230ea64805

Download Submit
C:\Users\Admin\AppData\Roaming\d7aebc424a48edc7.bin

Filesize
12KB

MD5
d3f510db7e0be5cc584f64780e3f55ce

SHA1
e6dbd4c3af2225c26f598fd9072b4cd4cbe8b39d

SHA256
cf857b0b6ea8883597dced6660f486bf5d5bf68242c22cfb4d8ff4e2dc3e8878

SHA512
7f22d37f3540810ec14af40d4fcb04ee93df719b42c74e13369fb17dc462e2bc20682114ecfa2cf95f2bb71d30bc4315e1dddf9ccf7022d95942683393112ff4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
fdf876d768a764a73edc828389a2bbc4

SHA1
a3339d3a373c39d4cb09ff9ddb484f68df8b8961

SHA256
ae82333e031cfa1b180af4facf4ef7ca019b163f1267e6692b6468766cedc602

SHA512
b5ab71959776ad0b6f8bbc768c22b4184f4a6e19e2a71b6cfde4dec7fccac2b248486a49494a2807b6bcbf336adbe04a54001e355a243a77844c5e0252db37c8

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
63114dab54f6d92a3efb0d47dd2b0158

SHA1
74b355b822842ad78dbca79329f7de7f5b27754a

SHA256
02faae24a56fef150dfb7f864d52329f0396900a6431c89e7f0484f3fdc80814

SHA512
3d855cd60c15fc2f5aeb04aa55fd21f606ef3d030888ce9ef15bb482ef7ea4d3443952b4f214cbda28f120add5b44c3cb3a73f8a7e238cf2fe9c14545e35f760

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
8d1a468ffff693d04ad12c27717500f0

SHA1
ad07786eba59fb1416f319d0a2aa99afabd0c271

SHA256
ca2024f66f9d2d1a8a21e98e1dc8d7f66ee596df9204e231a304859d6a693d15

SHA512
015ca70952922c006e2eccc83df7cd65ff8432d3b1d6f8fbeaec451ba1530f6de6b4e073be97d2cc68e360d7bdf08cce68377f710fc2c46791a859fba33baf6e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0e85f320b48ec44f1a00de0106672893

SHA1
cebedc66da7ee344615e4b2b98738e3d606fa5ff

SHA256
964beed373a62d2ba4b84f106b23d753a17b21d3864c779849566cb48cbc7757

SHA512
1c52afd101cdcd0ddf2e16bf898bca7ed3dd0e5d19d6ea79ce74d76b5b5991bd331931d1ec643a1382f17f430adfc0e1f1c62b79a412fcb9554f12f481acd0d0

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
9c99f91be9b8de230f4ca218b812014b

SHA1
54294edfd17ff17117a559571e918df27e61750a

SHA256
30335bfae7e98b1c88dda71a08a86814386938e84abeb64250eb2b9c5cf68bc8

SHA512
43b2ab1760cf2acae71f7fd4c6e8214d76f8f115bdf6d32670a4fc784dc1524d69d12b84ef7b2ec35d64c8ffede4529b8ebee0bccf0420fd63575e20bbf93c9b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
c2b651be1f700d3a01eb1369c201e2c3

SHA1
00ab8e16df60bbd5fd8d50778d490f53026ef342

SHA256
fa34718eed433ca4c87713175f00733ea7f314087793a2ba076d104fa5ba829f

SHA512
bbb6867215a8eb944d714b58cd53939ba9ed8e079126755f3dc77989365523c1162574df6e1a3373ceabf1d9cf528dd7a91de32dc854d0a9406f54ebfe9b4dc9

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
27ba9ff2a5f7cde6d40dd5ebca935504

SHA1
62458472cefbfb36d150a25273f01554a64173f4

SHA256
2b4afca5a5602da9e61d4b4a2b77a242b03e910413da34aa09bab2e1b9398630

SHA512
461da0cf368c8125d808927bcaa00c9966b19902b9bb6cd87c34af450498c68d6b85c3a4f7c479891ad66827ee1200e5207c505a214b88cb7fb2d8b835330784

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1499812d5d6decbd2b18adabc08722ec

SHA1
7ffae02414b3f0031d73369fc06732582400ab89

SHA256
c996f17df356d320a8fe6d408908bb6e0bd9d794c5d6b9dced78badac00d9385

SHA512
d607a9fdda1c91e90bd4766c96d5249a5cffe818dce02e08fe4d1bb2a952baae17ff933341b42cd1af6871a42cf3673e9dc7ccf9b8dc7f718f23b282148aaada

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d8c1e7d02b7facefae18352bcaf3beaa

SHA1
9324597c51da10b9575d10ba61e2f9781585f68a

SHA256
1e230a842dd5d8c8c4791f6959d365fe3a5dbd13f88d2f174a6820f665a6e969

SHA512
3b3add328ccc6f1a8d2b5e29d06ba178f875efc4eb3670af5720b9a2f9fa56838f3a5e8712beeb96d342470a6bc272bb8c6506c244903255da6194c41922aa5a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5df5b1d178efd54801d8cadf662a0bcb

SHA1
3318333b03510cfb5282af21b1f8d02071088d6c

SHA256
8f70f0d74dbc1d26d81a5ee6778c45469faa52ec72e40b5c81b9ba837e2e067e

SHA512
503a0c602b2902fa3077e7cb1b85bf7bb4972a3dce68476a32d16f18e0a71cc23e34ad548fb329cadb3b99cc75be5ae50a952ff3360d98ea38ff30302aa2ab68

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
fc4b25ba72fc4aaebbd3bfa6544dc6ee

SHA1
b1254656f65a38b8acd420ba9b834ce670e7d33c

SHA256
4db9b659c8d9ea13fc618ddf65a52616cf3e6bc8ca4afc0e9440f21288d5df18

SHA512
5a349e4d028432736f71907d3e63f7ac1a8b90090fa5c42cbc125b5ef543de1dfc0faa2f138af91995d75c33c7547d78d918ca4b93559df834cdd6d8ccbf8bbf

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ed03d002537123725c7997e1e70e1162

SHA1
67431848c3a9003ebc623cbee5043759230539a6

SHA256
ceb66b5f80ee9ef7d7070eb4368dfbf2223a177119a409669a4a5238cd5d6daf

SHA512
93e93ae828b887370c234f37f58657ce64cc218595657a3dbcc835b5b8a3928cf567bf42ecc9da3c45eed32fbad01edb0e8361f08cf443bc9eb33ce57df336ef

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
ed239dd1a130834e71df43c7973a4c2e

SHA1
cb5abbd165bd9cbd514a216d5f67d4dd2acb9d8c

SHA256
2f9def10ace8b994461c2e517388b7066f77887653cebc83c5f908a20aa7c080

SHA512
72b5395ba15adda1d37141e4a8dc7437974722c54f0faa5b5bbf5c3fce5ceec0a9a6db818bf8aa1c6237699decae61822672704905e7abbade26911311310470

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
aa32414dea969007393095bd5a33f478

SHA1
8427cb4d7d2c5be14095c832cb1fdd33d33aff25

SHA256
0101283220cb5ab730135aebb657c802e96b048d749951202336cddbbc73252d

SHA512
27364fc178b3df7761b4371f062d0a32f1716d9b4399c49541e3562c6fe4339acdb6f527ba87387813660f01179ae99efa8dc3eb1d49c2f7cf8b982876a64a49

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
6822ef9df8f28b1ca2db61ea7fee5c75

SHA1
340cbe338b83e4e6f2a2afe345bbfc8d794585d4

SHA256
b51975c571eb7cc970f31c6775e10278bfa47aa6478a8922fbc5b98cea5bb34d

SHA512
98ad3f1b2088d561cbabe45db0de2e3d0fa2e6677a977588eec09a292395fc7608840c616834925cffc80e9d6296a4f2addb3a9174b184fb79cae7e227afaa5f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f5ec4b1b4f8fb598cb73d68582e3b831

SHA1
92bf21f5bac9c62e89288bfd714352382c96f15d

SHA256
4495fab5b4194d006ec481a3f5f97dcd03b0839d55c6064027b85d4427023b06

SHA512
4d2527528fdd3db14522b25daaa971d45a22721507a4eaff6078239013fb4c05a7061b61b8ccf738b59e5ba60de38d6d490ca985092c584b398d3aa2f6302020

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
70e7e10750fd717955005a2aa3a3663c

SHA1
506cec2a8f4db704b208309bf593af240461eee2

SHA256
bb4d99a4ca698e4e19d36b1c5a55a73644085ff96b99acb0d7c0c2577831ad79

SHA512
16a87fa4a4666b90eb940f0237a4f4ed3800a9504b1fe4e3ef7ce40cdf77d024facc0d7d25fbb65a740cc4f6dc1def0e4c557f94ceac110a2a99a4834ce82e8d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
0c91937a8828580b630e2130d2a2fb75

SHA1
deff0a3930141b4ea96f154df7876973c2228b34

SHA256
593dccd0d5cc519c098a006695135ab04b4863ac67e3196c8fe6f1b7c88faf36

SHA512
f8d78223255a895136dba118458f3a9b2dd3c2d66a989ffc1b6e01557bf8e0e032bf96b706a13532ebb97033adcca69cfc7c5d45f0fd9dcbbe9550719e109e26

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
295c35172675c56d85b3271fc5adbaf7

SHA1
fc8f7052aa2fdfb84e7cb6bf027db403bcb8cdf0

SHA256
f022aa4752d0400339634741871e82f3bb6e1dc719e1ffe9b3987e457c01bdc0

SHA512
15813f64afc1d8f3fb24db561e3b68c8efcdfe45dd0768d53f85b32e72352c0f22240b9f4156dfa8feb88fde664025c75d3fe6594c957aa961fc010496f8548a

Download Submit
memory/432-135-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/432-309-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/452-127-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/552-235-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/552-520-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1184-0-0x0000000002020000-0x0000000002080000-memory.dmp

Filesize
384KB

Download
memory/1184-6-0x0000000002020000-0x0000000002080000-memory.dmp

Filesize
384KB

Download
memory/1184-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1184-25-0x0000000002020000-0x0000000002080000-memory.dmp

Filesize
384KB

Download
memory/1184-27-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1716-93-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1716-106-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1716-103-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2084-310-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2084-745-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2444-80-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2444-62-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2444-78-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2444-56-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2444-64-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2704-691-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2704-288-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2916-253-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2916-82-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2916-88-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2916-90-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3108-262-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3108-555-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3440-346-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3440-635-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3440-210-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3504-179-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3504-333-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3768-209-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3768-42-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3768-35-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3796-153-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3796-321-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4004-322-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4004-751-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4128-239-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4128-534-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4620-178-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4620-11-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4620-17-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4620-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4660-287-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4660-129-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4696-279-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4696-285-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4708-507-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4708-223-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4732-67-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4732-74-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4732-184-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4732-73-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4996-44-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4996-53-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4996-52-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/5188-335-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/5188-752-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/5304-348-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5304-753-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5580-518-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5580-591-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5816-533-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5816-754-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5952-582-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5952-554-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6064-559-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6064-756-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download