8b6aa89477e72a9727f3882e261bf81fc095b16cb068dbb97999f74a9072fa39

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 22:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
Size

5.5MB
MD5

313c923eca22dfca20f8784fb40b24ea
SHA1

91aa25cc02a1bcc30bf7ea11626d494010622fee
SHA256

8b6aa89477e72a9727f3882e261bf81fc095b16cb068dbb97999f74a9072fa39
SHA512

3a9430c58ad0a49c5b2d35f8c2126ac9ec5471cfecd38322a73a17c6aa130547a6999273c79f83585bd4f79b06a445cbad2e0f28d988ad02c8940917a87c5063
SSDEEP

49152:rEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfh:3AI5pAdVJn9tbnR1VgBVmnqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
4596	alg.exe
3076	DiagnosticsHub.StandardCollector.Service.exe
5036	fxssvc.exe
1216	elevation_service.exe
4752	elevation_service.exe
3868	maintenanceservice.exe
888	msdtc.exe
4092	OSE.EXE
4220	PerceptionSimulationService.exe
4824	perfhost.exe
1708	locator.exe
4112	SensorDataService.exe
4784	snmptrap.exe
2352	spectrum.exe
3420	ssh-agent.exe
4624	TieringEngineService.exe
1684	AgentService.exe
2116	vds.exe
576	vssvc.exe
3964	wbengine.exe
1308	WmiApSrv.exe
5192	SearchIndexer.exe
5284	chrmstp.exe
5420	chrmstp.exe
5600	chrmstp.exe
5736	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\991f0592d590e271.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\java.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\javaw.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\javaws.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001eb2aceb3fb5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cfba95e23fb5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000dbf38e23fb5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000724842e23fb5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001929a3eb3fb5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b09731e23fb5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133618424872061660"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4660	chrome.exe
4660	chrome.exe
6076	chrome.exe
6076	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1752	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
Token: SeTakeOwnershipPrivilege	1340	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
Token: SeAuditPrivilege	5036	fxssvc.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeRestorePrivilege	4624	TieringEngineService.exe
Token: SeManageVolumePrivilege	4624	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1684	AgentService.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeBackupPrivilege	576	vssvc.exe
Token: SeRestorePrivilege	576	vssvc.exe
Token: SeAuditPrivilege	576	vssvc.exe
Token: SeBackupPrivilege	3964	wbengine.exe
Token: SeRestorePrivilege	3964	wbengine.exe
Token: SeSecurityPrivilege	3964	wbengine.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: 33	5192	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5192	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5192	SearchIndexer.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe
Token: SeShutdownPrivilege	4660	chrome.exe
Token: SeCreatePagefilePrivilege	4660	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4660	chrome.exe
4660	chrome.exe
4660	chrome.exe
5600	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 1340	1752	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe	81
PID 1752 wrote to memory of 1340	1752	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe	81
PID 1752 wrote to memory of 4660	1752	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe	82
PID 1752 wrote to memory of 4660	1752	2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe	82
PID 4660 wrote to memory of 2216	4660	chrome.exe	84
PID 4660 wrote to memory of 2216	4660	chrome.exe	84
PID 4660 wrote to memory of 3936	4660	chrome.exe	97
PID 4660 wrote to memory of 3936	4660	chrome.exe	97
PID 4660 wrote to memory of 3936	4660	chrome.exe	97
PID 4660 wrote to memory of 3936	4660	chrome.exe	97
PID 4660 wrote to memory of 3936	4660	chrome.exe	97
PID 4660 wrote to memory of 3936	4660	chrome.exe	97
PID 4660 wrote to memory of 3936	4660	chrome.exe	97
PID 4660 wrote to memory of 3936	4660	chrome.exe	97
PID 4660 wrote to memory of 3936	4660	chrome.exe	97
PID 4660 wrote to memory of 3936	4660	chrome.exe	97
PID 4660 wrote to memory of 3936	4660	chrome.exe	97
PID 4660 wrote to memory of 3936	4660	chrome.exe	97
PID 4660 wrote to memory of 3936	4660	chrome.exe	97
PID 4660 wrote to memory of 3936	4660	chrome.exe	97
PID 4660 wrote to memory of 3936	4660	chrome.exe	97
PID 4660 wrote to memory of 3936	4660	chrome.exe	97
PID 4660 wrote to memory of 3936	4660	chrome.exe	97
PID 4660 wrote to memory of 3936	4660	chrome.exe	97
PID 4660 wrote to memory of 3936	4660	chrome.exe	97
PID 4660 wrote to memory of 3936	4660	chrome.exe	97
PID 4660 wrote to memory of 3936	4660	chrome.exe	97
PID 4660 wrote to memory of 3936	4660	chrome.exe	97
PID 4660 wrote to memory of 3936	4660	chrome.exe	97
PID 4660 wrote to memory of 3936	4660	chrome.exe	97
PID 4660 wrote to memory of 3936	4660	chrome.exe	97
PID 4660 wrote to memory of 3936	4660	chrome.exe	97
PID 4660 wrote to memory of 3936	4660	chrome.exe	97
PID 4660 wrote to memory of 3936	4660	chrome.exe	97
PID 4660 wrote to memory of 3936	4660	chrome.exe	97
PID 4660 wrote to memory of 3936	4660	chrome.exe	97
PID 4660 wrote to memory of 3936	4660	chrome.exe	97
PID 4660 wrote to memory of 3668	4660	chrome.exe	98
PID 4660 wrote to memory of 3668	4660	chrome.exe	98
PID 4660 wrote to memory of 3496	4660	chrome.exe	99
PID 4660 wrote to memory of 3496	4660	chrome.exe	99
PID 4660 wrote to memory of 3496	4660	chrome.exe	99
PID 4660 wrote to memory of 3496	4660	chrome.exe	99
PID 4660 wrote to memory of 3496	4660	chrome.exe	99
PID 4660 wrote to memory of 3496	4660	chrome.exe	99
PID 4660 wrote to memory of 3496	4660	chrome.exe	99
PID 4660 wrote to memory of 3496	4660	chrome.exe	99
PID 4660 wrote to memory of 3496	4660	chrome.exe	99
PID 4660 wrote to memory of 3496	4660	chrome.exe	99
PID 4660 wrote to memory of 3496	4660	chrome.exe	99
PID 4660 wrote to memory of 3496	4660	chrome.exe	99
PID 4660 wrote to memory of 3496	4660	chrome.exe	99
PID 4660 wrote to memory of 3496	4660	chrome.exe	99
PID 4660 wrote to memory of 3496	4660	chrome.exe	99
PID 4660 wrote to memory of 3496	4660	chrome.exe	99
PID 4660 wrote to memory of 3496	4660	chrome.exe	99
PID 4660 wrote to memory of 3496	4660	chrome.exe	99
PID 4660 wrote to memory of 3496	4660	chrome.exe	99
PID 4660 wrote to memory of 3496	4660	chrome.exe	99
PID 4660 wrote to memory of 3496	4660	chrome.exe	99
PID 4660 wrote to memory of 3496	4660	chrome.exe	99
PID 4660 wrote to memory of 3496	4660	chrome.exe	99
PID 4660 wrote to memory of 3496	4660	chrome.exe	99
PID 4660 wrote to memory of 3496	4660	chrome.exe	99

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Users\Admin\AppData\Local\Temp\2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-02_313c923eca22dfca20f8784fb40b24ea_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4660
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe604aab58,0x7ffe604aab68,0x7ffe604aab78
    3⤵
    PID:2216
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1924,i,3745860004842255023,16729829219765239463,131072 /prefetch:2
    3⤵
    PID:3936
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1924,i,3745860004842255023,16729829219765239463,131072 /prefetch:8
    3⤵
    PID:3668
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1924,i,3745860004842255023,16729829219765239463,131072 /prefetch:8
    3⤵
    PID:3496
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1924,i,3745860004842255023,16729829219765239463,131072 /prefetch:1
    3⤵
    PID:2120
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3104 --field-trial-handle=1924,i,3745860004842255023,16729829219765239463,131072 /prefetch:1
    3⤵
    PID:2428
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4240 --field-trial-handle=1924,i,3745860004842255023,16729829219765239463,131072 /prefetch:1
    3⤵
    PID:1928
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4224 --field-trial-handle=1924,i,3745860004842255023,16729829219765239463,131072 /prefetch:8
    3⤵
    PID:4868
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4604 --field-trial-handle=1924,i,3745860004842255023,16729829219765239463,131072 /prefetch:8
    3⤵
    PID:748
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4692 --field-trial-handle=1924,i,3745860004842255023,16729829219765239463,131072 /prefetch:8
    3⤵
    PID:5596
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4500 --field-trial-handle=1924,i,3745860004842255023,16729829219765239463,131072 /prefetch:8
    3⤵
    PID:5924
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5284
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x268,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5420
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5600
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5736
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4664 --field-trial-handle=1924,i,3745860004842255023,16729829219765239463,131072 /prefetch:8
    3⤵
    PID:5352
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1596 --field-trial-handle=1924,i,3745860004842255023,16729829219765239463,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6076

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4596

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2780

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1216

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4752

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3868

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:888

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4092

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4220

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4824

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1708

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4112

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4784

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2352

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3164

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4624

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2116

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:576

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3964

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1308

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5192
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5884
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
3a4f6710c447e018039222d949919f7c

SHA1
fb9ccbf3d633413e5df24367b11ddbdb626440ea

SHA256
018bf8b762db19e58bbd218df2b6aa52a59ce6e525e87e9238d90c59f73145bf

SHA512
2054af462a71b9dc45ea207cd9da800920692e0a48a12cd943f6bf4e39bc4605055e689245390f56d1ce6b20750ae8d046c1e917e062969e24b949c758635fa4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
8746afb8813e5e237bb7135e096c34a1

SHA1
ccfa9b9285d3d6d19124a8abd8d9a171b3d6af6f

SHA256
91819cd0ddceadc74f5bf91f66355b68d31e7d00e12b1add0d5abc504a0bdfa1

SHA512
e67217ac86ca49b2e997486030c4a138e5e5eea3d0fff20d5b8a2e1861b81a2901b61299f789c2367384dc4b255483120edef679d5fab98b1b6fdef0c482bb30

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
c54c7bfd3916f2e876013c841fcd1f56

SHA1
1af2d520da79e6bfbba24b61083415dce4e15297

SHA256
5ce9743913ab7d9a231cca68950aeaaa27615930ac4f91d78cb268ed09d356e0

SHA512
342485e13839dc38b548fd81a5dc1f369ccc2eedfd6153e6128639588deafc8f4ad4feac4a9e146f1ace40d2ae4dcd648b1390ae5facbb8ac1674cc143dfba09

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
25731e194adf52984fa5c304ab9af411

SHA1
8b32e2382ba623c19bd1c5c92579494d555f88da

SHA256
63706f98e2d3b0df4b10ce24e70ca26915d4f9f1084aaecb0b1e58c2d844a16b

SHA512
cab6642af9a344d83233bd3a2200d776ad442e694fe962b82db112e92e3dc1d878674a498b45c5e8aa64439e90c8e95089ec079106321ad6da073fd44a9ee8d3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
2168ca83d8a4ac7419eedb59bacbaa9c

SHA1
452891970b6e89925988fea05a284e4081fcbabf

SHA256
049571f3bdbf4d828af1b575b1ee50d2c111ef108bf2a0edba28d6614ccbcbea

SHA512
8ab7d9380ca7fa1875683fd5c734033e4f448c5cd659a025aec001500f521a7f19fa1313f5c3876bf8d9bfd3eb0c988e2ca238eb6030f421392083e6375fd5d0

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\54e45b54-4181-434a-b106-c3f03e8874f9.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ecca8993047150870094c763386eb4e0

SHA1
e77376a1868359b6270fe9924477d645bd5d7d1d

SHA256
bc2822a5efb199dcc655254b162e8e690280697a639ba9b6901133798470dafc

SHA512
28eee493fd526ef4227665583b28d600954d71babf027c2aa6bc8d72684d4ebe8b84436dd75a7fe29b6d17c8fd91f27a08e4d9deb53e8460a518bd7c09ca297c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
74d712b2f7d01d984cdb2e22269eae5d

SHA1
a4b04bb8cd330886677b32ab9729a53bf943f02b

SHA256
d2049a2c27a32ada29ba1fc1ad97c5fe5909e44db86ba6fbb73d1a5c88cbbfb2

SHA512
9b1560d9c5739ee11b269ec004b7ff8d73bcec3f888999d72e6027bfeef0370e9efb877f6a238b7cba070ded085cde2cedd2803b0a545be5f736de3920a478bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
4104176109f1ae43e72d377771ec7fd0

SHA1
a2ee02903c72f5900479d640f17a8db3541ca95d

SHA256
e42d9076671dca92cb547420c19381ca770404b2eb60a011c67477f0796a1c40

SHA512
5ec1966b2d943b786ce89d73a5e42883584e3210bfb8c51e26495e42a6224051424304aaad315ca19fefeaed663d43bd26a4a39bcc7539c9cf44a4c0e43ffd3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
71094b2185d2987f4ecc251d2adbe6a2

SHA1
55f7f2a506a74c46c39c008f8770aaf5b4cb0664

SHA256
df5ab583c2f55e6c5cce7b57e466b22e478587eb19902e1a4f6af180e371c636

SHA512
c046ba09dda7ea8e1035137b78dfabed1c46880aa433c289442756db0a49a34c8e676866a7b55cb46d63834ac1f34c998839125a63c21fd3f7c38304939be8bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe576978.TMP

Filesize
2KB

MD5
17452b252e572ce0e1d15bd52b3d96dd

SHA1
76e11b2ee8ae5cfbac60be4c4f1609879da3586f

SHA256
078b9af3cc02d4ce24f484c105def6fa6ab3b239269d39b503bd592cd8721ca2

SHA512
23c427290207f4496388e375917532a84121cd606cf36e804d2c30439167068e4eb43930ed32d406fa86cca6cd7f38d3c4f2f3f0bfaa9e157c6cec6e1e8546cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
480845b53b77bd003a9637446eb237f4

SHA1
03cc73f621e44c62b06193ee0e33e21b6cdde10f

SHA256
d2116c0a2e2488720d10017c89a7327a8aa187f469607b19a156a874419665fd

SHA512
b0acbb4242386cfb1bdbcc64a1d8576bb1b2662a8d2b38e44c3f8a2e961a6b9bc1600f01a5659a1a980b1ec9deb2c3a65a501eda8de078e2b29b93aaab9693f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
261KB

MD5
d756f3ff270b067425ee06260aefaaf3

SHA1
2e2305145ed856c69a8230bc1ce3dca864713281

SHA256
59ce62568cb44f15ffc583f2a33478e3c8c2ff58093d9e00f2a6c89d03666198

SHA512
8d27b87ac21cae2437715258ec9b567055b61fb0b044734761077c9dccc7f505e1c70425ebdb27ff3ba57d9ccb5e962942ca46a5fcdbdf5837d0560b3f5590d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
31dbfa86563a0bf54fccb15d5cad99d8

SHA1
bdedcd1ac97ec94c48511a8061945944a3fa77ae

SHA256
ecd51457f0a06248bb77d7b9bf5629ea873d81540af24e80261aac4142be8f01

SHA512
1aad3667bc8bc486c6d39ab678e2b207f91cd6bb0caf95b9fba8e20b60c8d1326268c2d11c6c5b90353d945d2b5559c43aeb079234860064d8e03b57608a5b50

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
e7166ef8886262c0c2aa1b6bb77818eb

SHA1
215ac266332adac5b3c7e7d27d3d25a67b3eff54

SHA256
e0a19c6b809d645c2ee65fa0926f5b70a212ba7e8025b9cc9ff3e2b24c4e0afb

SHA512
30b415fa9083231b45a0078f35081a391a3e52310c796d2797e2af3f23d14e5a1ddf68e95b6d571994df4dbb8af6809647091410be01a5c128ca3cd78615a252

Download Submit
C:\Users\Admin\AppData\Roaming\991f0592d590e271.bin

Filesize
12KB

MD5
f5fdff95295cabdb683fe6f82cdad17d

SHA1
0f84fe72fe045f93a6bf4cc5c056a24a6fbe6d3b

SHA256
af6aaa7511ace389308a5124357c8a7e49c0ff9cb15a2faffa1286667eb8e44a

SHA512
b828c63c1aa40517dac82098d52716635a83c492c41aeb6009d498a03800fed641b93002ae3c67267c0b28b40c6ed791101de0c3505ba2f6b0e6f9b14ab8caea

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
3d0677ef19ee9bd80536ebe89b5e90e1

SHA1
282d10272e5c5a03423325658c8b6f368654824e

SHA256
eb4d94c7056f715b950ec76287766f1b147dc0e7a5adcfc971057d7c32b51fde

SHA512
254a0a340d8f8cd2bbd04ffee8d6a9e397b1fb9678c95afb224ac3b2a8017a48d5b0f1f999b3de829f1b642f9c16e15d9e9e3eb35ebfdd278fd8daa5d24ef0f2

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
df72c10022620b672dc923027ee92b49

SHA1
3dddd5e7684203c4370defd014dc3ba9f7ccdeb7

SHA256
7482fbe7270dc132c20b72af3799e79ae963b828ba396f03c0a99b13bdb3df9a

SHA512
3a5762f3628e8f42cbfbdf8cf6b82b5a9c4b0cd75aecdf10149af0643d802c4f547a405ca57dbf8f2fb8fb67cb3470317a3554a62e69d767ede83521d8bdb20a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
f76e011e8a3bde030bd66967d7bd9405

SHA1
76541fc025e2f980622d5819934a4a2d72dffcaa

SHA256
183619ebb7c5bbfb3de5ff2a61b4d485d2dcdd6f35db86b67f08da886ddd0f5f

SHA512
953e07da06a19787072510bffb90f70a7a5174344b78b8adbfd1a71be9298a1376599cb4cbaae682b16d4bfcece44c44ad4c36a610d8a8a2127b0b42663ec864

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6220e378697487e4f161c488e1c96255

SHA1
9755434f7d49ca4a3cbc89a1c55192a2a5ec7c45

SHA256
2c6f0a5b0ebf196753365e13ef77cffe39e4764dc0e0ae11f6f48e7b49c8f7d0

SHA512
af9499a92eb1f325be7c6db4d55bfc6fe0aa31739483c23006d6b3065943efacfaa0408cdc7f48c10e24693ad45806a4e7dc61301fa6efca8ba88d1472b08ec6

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
27003c81cc2a656aa0e75b751302ece2

SHA1
ec10ea984e35baf6a8fd1eec54328f7048a163f9

SHA256
bc9358a6dd8c3d35c76f400001040e6ee74d3a7b7f5497475af4b6f65d4fa442

SHA512
6d527647ea14ef9294c8d2a4d0df12782070826d5808abf1c1e5899a50311c1ab6567d6751099c20024505bfa4b38d0f8494cfee571b48e5b347d21fa31ef36b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
f925b9701dd94661a25d3e5c8e0f3973

SHA1
39f4ca84c357b1437bc4e4c65b4291bf2a874d75

SHA256
c093da0ffa401c84799e196a41faf1a44e1a9ca25c25f78a7ac794215f4f11b6

SHA512
89a5770de31a35c3de3cd911eb6c5effc0be5123ed4b7f0d6ec1b324cc1499aa16fd8124d8ff00c28340039ec06c69a5ddcd85561b88a2aa11527e5740c6a9ce

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
917c2984ae6b95aed905937720602891

SHA1
cd10afd2d7622c530980b41b86b04e2148417f06

SHA256
86f4fb395551fa49d7a0148151c11d394660501bcce37c6cdc074b6dec175942

SHA512
f30447095c641ebfea1a6291c724d04b2f6f2cd913fcdb6f9c16cba3f293dcc73622efaff664ee8f19505a455e68d0a276583371ecbe284e8016ed795090110e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
44ecea6f324e22b3a77051c40717dd45

SHA1
92dfc6c604dfdb0f81fe8c01d6fb7ad6daddc094

SHA256
d0a383a55f1500c0cef2bd24d5c798b8cf3a1b56cb60eba0a3a169e99e4508d9

SHA512
8dab2e9a54783ce15e13bdda6c98529205406460e392131514daf66451a8fb49efaf5a8fde4d7dff58e8f862f668fc7ec6f493f414950b1120d4c1b61957c11f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
66010a456774631c3dd58014dd269cf7

SHA1
0d6e2c07be5312bc9f8620945255988965127cee

SHA256
b2171a152dd0e3796f791becde75f50c3689132573819211d751814c65e7e4bb

SHA512
ae3e20bacfca2c824a4c1eae1b6b1507f38bf6c9c643ba9fb59ae061d26f55bdfd81c00fcc82588e0ed6180f1d460033c59b742788b71fcf728ab48c3a7d9528

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5211a6fd6f283a06c1522d5923cb7db9

SHA1
0d045014a615a175798c5e35b50c6d86fdea6d3b

SHA256
04012ec40faa6290b6821f65086c2c454497f15cdbcb6be0dede5d2f8c064474

SHA512
998587d2e8b8316f67f2524c9060ced2a26358f634a0d7e4e2959cea99adee3f74c092edcd12a1aa9c3a3da05b2e385b5ee09e37ab1d66059affef5da8ec1704

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
9370d2ebcffe27450abb3e8779887c54

SHA1
8f4a22d7a08437769d0677b57023d6353950a287

SHA256
6a8ad5637f47159c4a6a359cc9563f3724ee4c5752c2fe6425febb6ee09be582

SHA512
ca240c71dba5e6d8332774e48d20ea5db195d1c4e410357b61125c7e635d0e63184c5557f6955d6c48b87a33e0a3dd783ec8341c24c4c44c999284fdb151ff4e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
31f25ea5091cf695a4d29be60d10cd31

SHA1
7281e6691eb707be3d1c39590b0d63fc2f502514

SHA256
dbeb68b10f9dd5629436d99826fe7b9f4aba4b7cecd5e10b29b7c36e99f19085

SHA512
aed35b47960b354f3a26e442e93f3a2d222b7059ad49ef26bb345738a399fbd78df2894728c2ace3f0fdfc4b403884c4786cd7091144f0e075bad777254afa40

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
5b88d39c5025c902c80e2809ef668a1f

SHA1
c057618f1ea1eae74029ed0cd76fa3d9e90f0604

SHA256
8c67daa79af5b48334407b7b431c8899a6d881eb40600e7bfe35443e42540800

SHA512
ceab774df5b528cbf23fee16bf7c7a62442c730533c724266dee077efadb139f2d6ddba21cdc70fcbf29dae14e1851f66be9155fb3e68f21ab16cd47712da7d0

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
30770733af8392aa0a8bc20c8b04780d

SHA1
90552ee08c4039b3010f93613b900a706fd199ca

SHA256
84596ffdaf4f9219123608c2f10c7459312e26cb18d873e0e94f5d9f3fc31a51

SHA512
1aac9f20eee8b370499dc16a2c05f705210fc23d494e8865371755a9f9adc8f15da5df15f4560a4df240d2c8a66baf8e4ce081a5609e65b871ff23fa6677bf88

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
858e4ae3178591102a034f79b4662134

SHA1
34ce0d6d04847bd217f3b1964827d87e6e127df1

SHA256
cbc6661216435ff4ca2f9bd7568296ec21ee416ed669238da67149e61ece9a08

SHA512
47d39d512ea0a4b2434906e43624fab3e21348e3ae74fa794a7f0ec0fc572dfbea2665c3e3d943e42dc5b99024c44b23fb107864c7d390e294e2c3e590aedaef

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6bddb2ba37e53e108207ba454d214162

SHA1
89d577ac3d953bea2e37aa56f10699b84ce32322

SHA256
814cb820f837f1a4cf5911cd1e174eb7ee485775bb411c321eb776e97f7c8897

SHA512
3b9309f5b4e896a413c67478d652e8f0684432eaf4b591b0a2510c85d9598914945813d819719228de0716f565cc418d7f99efdf6a203bf11726e761c72de4e5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
7c13d37f67799b90344fe6d290eb0eba

SHA1
9eb61a1fe991449607add1860a8164d7c9a0f358

SHA256
69236c4af0b364490e9e27a6147e3eaf26d1866d4f0960fd73dfddfd5eaef500

SHA512
ab06bba8e606b28e05b4a1aa37b8a1dce109a9278467f979b2c5cdaf4c5b3b2d6807646f2224c646fa6a9c6e92b81f9f22776f7856b13a470b74cdadf1f4b02b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d45034cedc1157d4961a4bd5bc910ea5

SHA1
de563fedbe2882ed6ce555cfe8ca7af8fda26b28

SHA256
13c928f58f264f318b92b10397b90f9db0b535b0a52407ae68c54cae29e2831b

SHA512
5d8d21107df2998fbf57d42e18b4e561a07235d48a69b9779a9f6c31dcc2519b9a81be0b6102a5c7363e9291c25acd85274f8d67edf590b477f9d1fbbe9df6c3

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
95c33cc1969930fefbdb95f99b2a9882

SHA1
cd2cd226b2c6f6de0bb090f9ffadb8e643a23970

SHA256
53b715becb7434a9ec7cebf218a7397d5c30fb50f6d3ac578728024f00ba194e

SHA512
c5992c3d6c1d20ed54d7e8cee2d3ac42d929812b770ae770881b4d09475b23cdd5afb323f401ca81bee5566f09638581f8e86b717bfdaf11596e7398978070d6

Download Submit
memory/576-287-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/576-692-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/888-125-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/1216-216-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1216-75-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1216-73-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1216-67-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1308-311-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/1308-698-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/1340-11-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/1340-173-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1340-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1340-17-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/1684-256-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1684-253-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1708-163-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1752-10-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1752-39-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1752-21-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/1752-0-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/1752-6-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2116-638-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2116-267-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2352-492-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2352-213-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3076-52-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3076-53-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3076-44-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3420-517-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3420-229-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3868-100-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3868-88-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/3964-298-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3964-697-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4092-127-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4112-174-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4112-315-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4112-613-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4220-138-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4220-289-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4596-228-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4596-35-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4596-27-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4596-36-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4624-243-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4624-535-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4752-126-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4752-78-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4752-84-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4752-285-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4784-201-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4784-478-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4824-162-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/5036-103-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5036-65-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5036-62-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/5036-56-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/5192-699-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5192-316-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5284-482-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5284-570-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5420-498-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5420-700-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5600-534-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5600-559-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5736-541-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5736-701-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download