bf0689d3cb62e23b46f2f5a6734ec2677195b8c71d1d5c2d313c81ac046c5cf4

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
Size

5.5MB
MD5

8f8a3b9257337cf60e2c3f1b2b9e561c
SHA1

2cb35852ed8e4421829930dbff1c4332eccf2872
SHA256

bf0689d3cb62e23b46f2f5a6734ec2677195b8c71d1d5c2d313c81ac046c5cf4
SHA512

d9bdd3234b5f1d5308871a396c293649b35e297d9e9343e019ac138081f817b2150931ae5d58b95e68c381c08e5896190dc8f876137d3aee3a287d65f1cf3df6
SSDEEP

49152:4EFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1tn9tJEUxDG0BYYrLA50IHLGf+:WAI5pAdV/n9tbnR1VgBVmP8

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2232	alg.exe
3224	DiagnosticsHub.StandardCollector.Service.exe
4812	fxssvc.exe
3968	elevation_service.exe
5052	elevation_service.exe
4420	maintenanceservice.exe
3672	msdtc.exe
2416	OSE.EXE
3228	PerceptionSimulationService.exe
960	perfhost.exe
3432	locator.exe
4916	SensorDataService.exe
1080	snmptrap.exe
4620	spectrum.exe
4684	ssh-agent.exe
376	TieringEngineService.exe
5040	AgentService.exe
3828	vds.exe
4060	vssvc.exe
1968	wbengine.exe
5248	WmiApSrv.exe
5528	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ee13f0be703f493.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\javaws.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000320f86672bb1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000488b1f672bb1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000efd72d672bb1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000014457662bb1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b3cd7f662bb1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005eb4c9662bb1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b7f52662bb1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e6f467662bb1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000496f3f662bb1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000990b3d662bb1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000159184662bb1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1980	chrome.exe
1980	chrome.exe
5880	chrome.exe
5880	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4640	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
Token: SeTakeOwnershipPrivilege	2732	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
Token: SeAuditPrivilege	4812	fxssvc.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	5040	AgentService.exe
Token: SeRestorePrivilege	376	TieringEngineService.exe
Token: SeManageVolumePrivilege	376	TieringEngineService.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeBackupPrivilege	4060	vssvc.exe
Token: SeRestorePrivilege	4060	vssvc.exe
Token: SeAuditPrivilege	4060	vssvc.exe
Token: SeBackupPrivilege	1968	wbengine.exe
Token: SeRestorePrivilege	1968	wbengine.exe
Token: SeSecurityPrivilege	1968	wbengine.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: 33	5528	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe
Token: SeShutdownPrivilege	1980	chrome.exe
Token: SeCreatePagefilePrivilege	1980	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1980	chrome.exe
1980	chrome.exe
1980	chrome.exe
5388	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4640 wrote to memory of 2732	4640	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe	82
PID 4640 wrote to memory of 2732	4640	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe	82
PID 4640 wrote to memory of 1980	4640	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe	83
PID 4640 wrote to memory of 1980	4640	2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe	83
PID 1980 wrote to memory of 3272	1980	chrome.exe	84
PID 1980 wrote to memory of 3272	1980	chrome.exe	84
PID 1980 wrote to memory of 448	1980	chrome.exe	98
PID 1980 wrote to memory of 448	1980	chrome.exe	98
PID 1980 wrote to memory of 448	1980	chrome.exe	98
PID 1980 wrote to memory of 448	1980	chrome.exe	98
PID 1980 wrote to memory of 448	1980	chrome.exe	98
PID 1980 wrote to memory of 448	1980	chrome.exe	98
PID 1980 wrote to memory of 448	1980	chrome.exe	98
PID 1980 wrote to memory of 448	1980	chrome.exe	98
PID 1980 wrote to memory of 448	1980	chrome.exe	98
PID 1980 wrote to memory of 448	1980	chrome.exe	98
PID 1980 wrote to memory of 448	1980	chrome.exe	98
PID 1980 wrote to memory of 448	1980	chrome.exe	98
PID 1980 wrote to memory of 448	1980	chrome.exe	98
PID 1980 wrote to memory of 448	1980	chrome.exe	98
PID 1980 wrote to memory of 448	1980	chrome.exe	98
PID 1980 wrote to memory of 448	1980	chrome.exe	98
PID 1980 wrote to memory of 448	1980	chrome.exe	98
PID 1980 wrote to memory of 448	1980	chrome.exe	98
PID 1980 wrote to memory of 448	1980	chrome.exe	98
PID 1980 wrote to memory of 448	1980	chrome.exe	98
PID 1980 wrote to memory of 448	1980	chrome.exe	98
PID 1980 wrote to memory of 448	1980	chrome.exe	98
PID 1980 wrote to memory of 448	1980	chrome.exe	98
PID 1980 wrote to memory of 448	1980	chrome.exe	98
PID 1980 wrote to memory of 448	1980	chrome.exe	98
PID 1980 wrote to memory of 448	1980	chrome.exe	98
PID 1980 wrote to memory of 448	1980	chrome.exe	98
PID 1980 wrote to memory of 448	1980	chrome.exe	98
PID 1980 wrote to memory of 448	1980	chrome.exe	98
PID 1980 wrote to memory of 448	1980	chrome.exe	98
PID 1980 wrote to memory of 448	1980	chrome.exe	98
PID 1980 wrote to memory of 3260	1980	chrome.exe	99
PID 1980 wrote to memory of 3260	1980	chrome.exe	99
PID 1980 wrote to memory of 4844	1980	chrome.exe	100
PID 1980 wrote to memory of 4844	1980	chrome.exe	100
PID 1980 wrote to memory of 4844	1980	chrome.exe	100
PID 1980 wrote to memory of 4844	1980	chrome.exe	100
PID 1980 wrote to memory of 4844	1980	chrome.exe	100
PID 1980 wrote to memory of 4844	1980	chrome.exe	100
PID 1980 wrote to memory of 4844	1980	chrome.exe	100
PID 1980 wrote to memory of 4844	1980	chrome.exe	100
PID 1980 wrote to memory of 4844	1980	chrome.exe	100
PID 1980 wrote to memory of 4844	1980	chrome.exe	100
PID 1980 wrote to memory of 4844	1980	chrome.exe	100
PID 1980 wrote to memory of 4844	1980	chrome.exe	100
PID 1980 wrote to memory of 4844	1980	chrome.exe	100
PID 1980 wrote to memory of 4844	1980	chrome.exe	100
PID 1980 wrote to memory of 4844	1980	chrome.exe	100
PID 1980 wrote to memory of 4844	1980	chrome.exe	100
PID 1980 wrote to memory of 4844	1980	chrome.exe	100
PID 1980 wrote to memory of 4844	1980	chrome.exe	100
PID 1980 wrote to memory of 4844	1980	chrome.exe	100
PID 1980 wrote to memory of 4844	1980	chrome.exe	100
PID 1980 wrote to memory of 4844	1980	chrome.exe	100
PID 1980 wrote to memory of 4844	1980	chrome.exe	100
PID 1980 wrote to memory of 4844	1980	chrome.exe	100
PID 1980 wrote to memory of 4844	1980	chrome.exe	100
PID 1980 wrote to memory of 4844	1980	chrome.exe	100

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Users\Admin\AppData\Local\Temp\2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-05-28_8f8a3b9257337cf60e2c3f1b2b9e561c_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa9e6fab58,0x7ffa9e6fab68,0x7ffa9e6fab78
    3⤵
    PID:3272
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1932,i,12288871990376693344,5447323863265163509,131072 /prefetch:2
    3⤵
    PID:448
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1932,i,12288871990376693344,5447323863265163509,131072 /prefetch:8
    3⤵
    PID:3260
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2240 --field-trial-handle=1932,i,12288871990376693344,5447323863265163509,131072 /prefetch:8
    3⤵
    PID:4844
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1932,i,12288871990376693344,5447323863265163509,131072 /prefetch:1
    3⤵
    PID:2608
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1932,i,12288871990376693344,5447323863265163509,131072 /prefetch:1
    3⤵
    PID:1668
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4280 --field-trial-handle=1932,i,12288871990376693344,5447323863265163509,131072 /prefetch:1
    3⤵
    PID:3112
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4312 --field-trial-handle=1932,i,12288871990376693344,5447323863265163509,131072 /prefetch:8
    3⤵
    PID:1380
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4308 --field-trial-handle=1932,i,12288871990376693344,5447323863265163509,131072 /prefetch:8
    3⤵
    PID:3844
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:5156
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6d3c7ae48,0x7ff6d3c7ae58,0x7ff6d3c7ae68
      4⤵
      PID:5196
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5388
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6d3c7ae48,0x7ff6d3c7ae58,0x7ff6d3c7ae68
        5⤵
        
        PID:5448
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4648 --field-trial-handle=1932,i,12288871990376693344,5447323863265163509,131072 /prefetch:8
    3⤵
    PID:5164
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4716 --field-trial-handle=1932,i,12288871990376693344,5447323863265163509,131072 /prefetch:8
    3⤵
    PID:5256
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 --field-trial-handle=1932,i,12288871990376693344,5447323863265163509,131072 /prefetch:8
    3⤵
    PID:6000
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4296 --field-trial-handle=1932,i,12288871990376693344,5447323863265163509,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5880

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2232

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3224

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3408

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4812

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3968

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5052

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4420

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3672

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2416

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3228

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:960

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3432

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4916

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1080

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4620

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2268

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:376

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3828

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5248

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5528
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5900
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5124

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 57c35756f6d49cccf41b7c630288c484 7KLNFeyJWUqpZ5PAFY3lHA.0.1.0.0.0
1⤵
PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c509633f87fcbb654106b6b01cab8948

SHA1
c647659d1535587bb010f84c068c04ecfa257007

SHA256
5497a8d29fd26d603111d2c31d63cf82d0a5f36162dbb96df7dd61e520762e78

SHA512
5d5d6d5c81fbfcc082e9f430d9bdbaedd147fa2f94aaf3f59a765724439cb50a5b93b0889d84e4aa62ed8a71a403f92b92bf80e0f80793ef8811d1f9fb0bfcfc

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
56f76e229a5dc41d36df28d0e7c80fd6

SHA1
15c3e06f21c7c8250c7b9ccb90e66adac52e74e5

SHA256
7f7447ab5821d2c214a4f01b16a7073c15e7dcb928dc5e9cc081947cf027d08e

SHA512
a0109591a53794324e33e0a5dbd3df49d3f2aa2055d6c03f35ee963934b59c26338db8795d3c5ef078edb3ddbb9b58b25704c2dc3bc7ff34d0f24e9cd7ec6d28

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
99cffe6e75a55c47af7391f894ee05b2

SHA1
3ed2b30b242938afc0270e2bee9d0ea901182127

SHA256
17ef51c5305f2e378db4d5ccc91cbc0129bb5695146ced76242243269fa6ce10

SHA512
8bb5e79ac1284e49e199713bd35cb1eb8f088d350547a5c76bb89d50fb2c04ef9f710fa8be65a5789bc887d81916a5b4b2e5c83a74e010bd4db44408b213499f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
7dc1de81234e88c6a3c66452d1e12426

SHA1
e0f9a027b3ac2c55317a5f5febbdcc4cabe3d9ae

SHA256
9e4b9dfa47ba735336d822427875bf17dce70fdf1805b2502f053602d9b4000e

SHA512
f0024554dbb384f05c5da28e9fb1a04e1566aa1c28a7a9fcb4fa8e07e4c67718c2ca904ce89df97ac8b031cce702fb065ec110fbbd1cd5a7662ffe92d674bc8d

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\d00f63e3-53e5-4fce-9e82-57d18d729af0.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
d0df793c4e281659228b2837846ace2d

SHA1
ece0a5b1581f86b175ccbc7822483448ec728077

SHA256
4e5ceefae11a45c397cde5c6b725c18d8c63d80d2ce851fa94df1644169eafc9

SHA512
400a81d676e5c1e8e64655536b23dbae0a0dd47dc1e87e202e065903396e6a106770cec238093d748b9c71b5859edf097ffff2e088b5b79d6a449754140a52ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f7fbbaf43877dd0fc1c481643b75b870

SHA1
8ab2feffc641ee687e40f8c0443fab7492b3c62e

SHA256
55b6745d59b6dd1dde18efb8604e58c82b81c58b597423d8bfc6eaebc962330c

SHA512
8ad37ec21b570eb337c3ce2fce934208a39137a4b81c268d10d07fcc3433c01b50425dc4455e139c484078dd129f4e535868efd8c10bb2d712e89ae23989753a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
9cb9ca46d8245c0d00ade396417a7bfe

SHA1
d2efef72bc47d7420a9638d1bd2169afd793ebaa

SHA256
1ae5a3bbb076922571012f63393c2243b427ef941f93cc3a92ece18e75d9b584

SHA512
7b4457a9cd42ddaaff8bd2494215cf37abd47b01329be2082601fd26a1ec0be8ccab4cf9ca3afec8f2af5e01e08d8c9600f7b0fa71e867f1e48737ed34587f7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c84a09aca80ab9f9a6f170960bf94791

SHA1
567c33c0a7009c9becaa97f6c82bc6b9fd9575e2

SHA256
2eb3604f5ee3958b4f279dabed764f1e714b3b9db459831595a677cbac3144c2

SHA512
a4d3d4c22b2bcb4b09cb05276fa46094bc4e5096642b85cd00b3a83eeeb41fde1c941813ec749d22a1035e48a71dbd5320e8470c61abbbf14954fa82667a5292

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe577b3b.TMP

Filesize
2KB

MD5
1d0245a0816fd932b1963600bab98460

SHA1
82d188a3a5fd107ed83000e16e41e0d67eed941b

SHA256
b9d8f68c1f5aeadb1748f8efa21c33a4235cca822bfdf19951d296b2f29944f6

SHA512
febc999100ab08b73d52fa2a08f7c09cf2281c420762d121150da6cecc922372a9591619163881a5d2956cc20a7bd6d1b5017b6f0575b55ca6baeeaa604632f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
45909098fdcced348735f9540cdf95f4

SHA1
bf6215704211c5facf25731526449f7a42b1a4cc

SHA256
984bdebb29755fc012d67cc6440ef7a566de1a5af7e96a90d29aa90d8084962a

SHA512
1ef6137027d05160ac904cf493b4be0b550b344f53433f909e65245cbb51543d76d95a00c8d257cd8fc720344cf4d77a6b3cf8dde23da59ccaf6f996213b7d1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
205cd33592fdf4f3215d5584dfae0a3e

SHA1
8bce3119988aa54d0838b660d9b551f68e7cb8f5

SHA256
d52d8f76f5d76105f5d2e0cbdfa7325998cc5bdcf3e5ddb48a0766cdab80af10

SHA512
29b017e23305db313bdb8eaa2ed5113b5500853242024e2f709151a55679219bd024fd2965a72338e8a6e9593dee30a7c520af95897be9b494d2b2811b02564c

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
832480d14406f1e8d520bf7d49f94166

SHA1
7133956f054f4ea4b0b99ef473545dc70c661e97

SHA256
2bfc8ce67926a4962e53772a5d7c08017feb7571675a03d861f4013d2ccbe6aa

SHA512
68e44b9f2213f3f3e26cc5b4c5ea6f71faf2e500f0cadd446aac7726497e53f489d6fc17425eb83c325365280fe061793b3a0b81720ce26210e290fbec2f5c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
d3586ca0c48c6331d4f145b9f90be27f

SHA1
0c892ae945582573448298253af2518c98ce2ec2

SHA256
80ed683dbd884246b2f8c83a6b57712e7b6d78c80fad30d6a04c84fc0f64daeb

SHA512
a16d8b0e5e1be7bffa11cba5bcdbbd6b066d2d52aa268368cc9ecc13db2410f94ebacf08057edfbf2b9748836475674cb8fdc6511d976887f4484453525ddf57

Download Submit
C:\Users\Admin\AppData\Roaming\ee13f0be703f493.bin

Filesize
12KB

MD5
e1ca48b20f57b570e226aba66934a756

SHA1
968eaa578014a8719233507e20a2963ea419abda

SHA256
3f60c0a2e91948b4c4366050beef50a1498bd47960e2b0bf05272536de26a978

SHA512
3d468205f20cd11f5dc3f235be1f01a62cdc8df866e8211c53de5e85338f6076ecca6b537929e2b63132f4e6f612ff7448337346911d97e53923944bc1fc6806

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
f14e71df4c7e805779991012b9c8c1f0

SHA1
78f70767ff311a6967cab59627cdfc1d90607d80

SHA256
25f2966b52cc2cb5d04cd9e3e4094575d7e9c5fff028cef54e6cf9da28bbd2d1

SHA512
224756bd8a319813d9cd7ebc68e398d0a8f935f4e11f01b0a1281e91210e7d1740172da5d629087393d37cc80f786d0856424a32c005ed45b24bbb93e75607f2

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
dc5bf3b1d33d23a0d7a4bea16b485b1d

SHA1
b32dc59ef968e4fe7d15eea228fc48feb02b1cf2

SHA256
d6c3df7de44bf791aa54a301f01c99176955650f63af7c90e3ded6b8222db351

SHA512
d9959524b67afa6bbb3066d8130cd67aded06be85617cde054633db2172f4bc5660619da82e28d13bcab3df32396f5b1fc25b0069db55b09d8ca7933f2525dc6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
f6988df765401c07950180aea90b0e9e

SHA1
3b2eeba3a3186766e3d687f81007132b13d98a9c

SHA256
d8c463928f911adeeef6a3a5e709d7fb1a6ef96bb3148156ea59fb7b9701d14c

SHA512
3e2c92d4a188d9709ec9877f2b76bc050605c026091e2fef61fb654354627efadaccedfad192ae52fb196cce7987314817e3fea0e4826a13e0e9a59d66aba359

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2b9090e7e6e2489eb6321bb997a9691f

SHA1
15c34559022cb9810cf6f52f866fdc4d088b061f

SHA256
dbe78e296c339858fa8d5545d4c8efb0d8c89fd601a6528d45d134aaaaae9721

SHA512
2e80c407a957f4c15d0f06644795dd1c466b5784130c0c0eb1dbeaee4c48be1e02cf532274ddcad7a97ab9f8752f6ee295dd101af7d9d115c83194ced8ffcf73

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
1762864da1528b9dade8d53c82d796a7

SHA1
d592145b0a3cd840f7957fa36c898d754e7ecabd

SHA256
56726c7787eb5385a23b985c9893337720de7ff3778665187ca7bc0674994948

SHA512
b8c1b3b5b9e2eb6d37cca6dcc002911182338329d8bb0e4d947f764b2391bf7c23ad35f36b26197d96244aa785e2f063946d18c26167767ccaab43c0b1d196a1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
c90e3af1e085de4a72ff71958dcef17d

SHA1
b00c041addddd378ec38d240211514a2de4cba6a

SHA256
03512d398b997112e292522dc951e01874c667be3116d83734b447ca28a240f3

SHA512
65619d250493a8579782492eb17fe99993959ed0403d888eb1c1969cf06e951873966a8446e99a7cadde443b08fca98970981ca5dedba12fda85e5f3d67038b0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
a1c1e0dfe0a2cc06c4a5dfd516431a5e

SHA1
814617717f9d1afcad1a6958b3e05550dffeca11

SHA256
c2db66f821c36281e1998152d32195cd2e8636cc56a8e22673b71afeafbf85f2

SHA512
08271c0c7c596c7500f1dbeafcf215397089e7879a27ad10d6b9848538b389cc9536091e2a0ad0b2017f6d62c2c520b69d537827104ae49e0dd9a9c3fe89c61b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
11d85981f38f8663df02bf64ba2029cf

SHA1
eb2cfd6522ac799b7235e3c3586ca433a5a7be21

SHA256
1082ffe71a2047e4c1027d1cdfb5a9a7d5a1400dd498e5496571bdf9f0e701b5

SHA512
ff432937d63a8211efdaa828896fcb7d5ea77691351ecbaf46e46fcd73c5d9a3808baaa26b7b70d65c360b2c4f5ab5c12831d75237399719068e7915df4563ea

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
73be26d1d7f5572c7dfc248cfa3a2d3c

SHA1
26b3b46b1d304b43063f6d84b6fd6cb43f2574cf

SHA256
24c77738b7c737fd32cadf04dfb31ffeb2f3d7c91c7d7e50360bb851263c9216

SHA512
03cb28abb39f58de2eaf01b6e22c939599e9676cfe9e1b8cabb2393f41cffdbc54dfdd6a71af23580175bf07ec6d1eded5dc4e262aae0f86db124094ec473730

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
181f32e10f29bd5c5ee1832818cf8344

SHA1
81290f244aa22e2eb35316777884c9eb732779e0

SHA256
99f818e28d2c5a4a02957ff9e3d904751ddb1968ad4347f3078c16d8d028cc12

SHA512
6dff1cab55b4c21bdf5f89c1a9fcb5708ac684d3db36784f85624c78e0913256bdd46297ac13b23ea0219ec3e605f2d2bd1b964289e7a8a350965e2de6e0a71e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
fc775d15692350020dc44670fa2cb907

SHA1
716656b9b73d77fc44f4649abc5c92f857aeb2d4

SHA256
8de1ac3a4c1f2bcb43af5574041f5f841ed2eadab6c424b77fb2342b3e508a8a

SHA512
1129b307fa0d4c5c80259d9cbddd33b05797f957c98c9fbaf9afa132f02fe8fec0434dbe49d36d16de0ea3c4e6c246b2a8b34032da4943b16b1d52e1df6caca3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
71255284102debb1c9e1ff0a4cf4e097

SHA1
00041daafda1e8ee08803abc70558d0ee426b59c

SHA256
0b425e8aa4402705380245e1392f558797ba80d579f4f57f002326cf0aaf0ed2

SHA512
fffb75e0b9ff9bd42c588e6faee7145929f8b96c4c0bf15205bd0a2428ebc9b4ecbde24f19435e74ec816cddd9065dc39f32e3762cfb67619fb133af90144b8d

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
1f179e30ebac4e27fb808676b3709d99

SHA1
cbeb3ef6414bcada7ad30cd45bb972d210542f1d

SHA256
c0064e667a0f1ef4b69f4bcca1ee8889de8faa7a876501c7123f130aaaff1a3c

SHA512
a9bade719f2e261f44e5644167f4b67212449fce5759e29e88ce59e55d7dee205ac68314dab533755f1fc500f36f60f2f8b25296c73c0b933ea21593eb6ab6c5

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
b93d91805e02e1331cba0fab2b5f18b9

SHA1
7adee81e0661fb31317d8c52fbd58d3efb9f60b1

SHA256
1f2b55a6a129fef2558034de247bf7b564e2a82af7abb64d785a1a45ccb283f3

SHA512
b2e93b09194078ab191cdec4e6a77df2cf3c2dcfb94410d1c0b28b6bb30480f45439dddff6e3304ede0b343ed195176251c64a007868ea70e90a195eb06251a3

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
c0ff85f24719204ddf409a63635c3280

SHA1
63349ef844e517273371bc8c7bc7088b266b7f32

SHA256
435b52cce4b10d8cdfbf55aa132c91f9e7494b7a90716c52c26c9b6157e56c92

SHA512
4da4a102558133103cdc0d2b29e3f7b598ae925f3cbf262b0f8b1475742a3bf4b47ba6080f1f119d1e6be7864dfd9e8291835c166820cd924d526716eb8391ba

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
df972d739578da0e067ba77b39f9b77b

SHA1
43fbd43aff8af05909e6308b67f784ab28b8b723

SHA256
597e75a2a0c9010a2d6d5e9107e3f43461b85cd0d4aca23bb358d4f0c6f55964

SHA512
ef2f27cc66c6b1d16849517aeff9b0a1be4d5ab42a4fee3783c282bc99e9fc351f77a3b3254a0b6358756aefb877eea40902a5c86cf602442008161a5559e434

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
a026ad04b37e3c22475ca9b1d78c32e0

SHA1
146f0eec1d54c7edd457208390b3c8268fd66572

SHA256
f4749d48e222eec40dd8e58d70c70f93ff2c19e9baa2a6621ef22d9e70bce831

SHA512
0ee1810e222f290eae3ded9390e5182eaed457f9e526f2906a2ccb908c3948d275eb7a12edf7d81803912f760c8ab26c3a9ec6b34698ac475fb58a14bb290ea3

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
2e0d3f3e2e6400e698c7e158ff8813b0

SHA1
88cf6e3b0c4eb51298db64620f97f42440105de3

SHA256
2c759b68e8ac8797425bda49a3815295b8de304817622a7c97548e83d9714aba

SHA512
2fa29cf76e51430864a5ce182afbd3f30e57f20ef9ba84335f396d667de38d2880c9acc942580bfbc5b241f4ddab80ee6960ea5d3248df0102d2b918e3b2ed57

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
dd7a044bb22136e85285d21163fdef66

SHA1
1fcea0d904998de1bdea9cfa654a50c20b3dcc5b

SHA256
b918a44d48859b4ed705a9a7a23d4a816a368aa2161ad495a7a6d1c6992b61a0

SHA512
67afbad0468b8d5b405186c63a0960f5fcda15b2ab73767c292863e221265758001b2e110a3296f5d2ba1463863d556a535850a65a107344ade40a79c33bf358

Download Submit
memory/376-640-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/376-246-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/960-307-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/960-147-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1080-212-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1080-556-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1968-308-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1968-649-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2232-171-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2232-38-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2232-40-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2232-32-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2416-130-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2416-280-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2732-129-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2732-12-0x0000000001F70000-0x0000000001FD0000-memory.dmp

Filesize
384KB

Download
memory/2732-21-0x0000000001F70000-0x0000000001FD0000-memory.dmp

Filesize
384KB

Download
memory/2732-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3224-51-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3224-43-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3224-53-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3228-136-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3228-286-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3432-330-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3432-179-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3672-108-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3672-257-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3828-645-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3828-281-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3968-185-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3968-67-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/3968-75-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3968-73-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/4060-287-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4060-646-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4420-106-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4420-92-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4420-94-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4620-217-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4620-577-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4640-23-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/4640-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4640-0-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/4640-9-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/4640-30-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4684-586-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4684-232-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4812-64-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4812-56-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4812-62-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4812-77-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4812-79-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4916-346-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4916-580-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4916-195-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5040-279-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5040-261-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5052-89-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5052-82-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5052-81-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5052-231-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5248-331-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5248-650-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5528-347-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5528-651-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download