3130c4ac6670e6fd9c28c56c01be3b5e8f262a144e79f04da15ac9aa9e1608c9

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
07/06/2024, 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
Size

5.5MB
MD5

fb810d111c776bab9f0a5e5c766499e8
SHA1

a0ffc786e1571a7aab93cb1a8bed2b7a587ffeeb
SHA256

3130c4ac6670e6fd9c28c56c01be3b5e8f262a144e79f04da15ac9aa9e1608c9
SHA512

d255bd97eb45527d9f1086ceb56b15565cadc5b31eb253548aa5fa0a07c8eb5db0328166877800e543533d743fb01a8512da7ebec74650d195f928b2919fff92
SSDEEP

49152:wEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1bn9tJEUxDG0BYYrLA50IHLGfK:eAI5pAdV9n9tbnR1VgBVmwUf

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2788	alg.exe
1212	DiagnosticsHub.StandardCollector.Service.exe
1324	fxssvc.exe
704	elevation_service.exe
2676	elevation_service.exe
1096	maintenanceservice.exe
1528	msdtc.exe
816	OSE.EXE
1860	PerceptionSimulationService.exe
2712	perfhost.exe
4120	locator.exe
4672	SensorDataService.exe
4504	snmptrap.exe
1928	spectrum.exe
4288	ssh-agent.exe
3608	TieringEngineService.exe
1144	AgentService.exe
4700	vds.exe
1792	vssvc.exe
2464	wbengine.exe
2512	WmiApSrv.exe
4352	SearchIndexer.exe
5308	chrmstp.exe
5576	chrmstp.exe
5736	chrmstp.exe
5752	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\93e50129293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\java.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006505f9a41cb9da01	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133622671620585325"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007fa115a51cb9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cab509a51cb9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008540f4a41cb9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000092abf1a61cb9da01	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3656	chrome.exe
3656	chrome.exe
6048	chrome.exe
6048	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	692	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
Token: SeTakeOwnershipPrivilege	4312	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
Token: SeAuditPrivilege	1324	fxssvc.exe
Token: SeRestorePrivilege	3608	TieringEngineService.exe
Token: SeManageVolumePrivilege	3608	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1144	AgentService.exe
Token: SeBackupPrivilege	1792	vssvc.exe
Token: SeRestorePrivilege	1792	vssvc.exe
Token: SeAuditPrivilege	1792	vssvc.exe
Token: SeBackupPrivilege	2464	wbengine.exe
Token: SeRestorePrivilege	2464	wbengine.exe
Token: SeSecurityPrivilege	2464	wbengine.exe
Token: 33	4352	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4352	SearchIndexer.exe
Token: SeShutdownPrivilege	3656	chrome.exe
Token: SeCreatePagefilePrivilege	3656	chrome.exe
Token: SeShutdownPrivilege	3656	chrome.exe
Token: SeCreatePagefilePrivilege	3656	chrome.exe
Token: SeShutdownPrivilege	3656	chrome.exe
Token: SeCreatePagefilePrivilege	3656	chrome.exe
Token: SeShutdownPrivilege	3656	chrome.exe
Token: SeCreatePagefilePrivilege	3656	chrome.exe
Token: SeShutdownPrivilege	3656	chrome.exe
Token: SeCreatePagefilePrivilege	3656	chrome.exe
Token: SeShutdownPrivilege	3656	chrome.exe
Token: SeCreatePagefilePrivilege	3656	chrome.exe
Token: SeShutdownPrivilege	3656	chrome.exe
Token: SeCreatePagefilePrivilege	3656	chrome.exe
Token: SeShutdownPrivilege	3656	chrome.exe
Token: SeCreatePagefilePrivilege	3656	chrome.exe
Token: SeShutdownPrivilege	3656	chrome.exe
Token: SeCreatePagefilePrivilege	3656	chrome.exe
Token: SeShutdownPrivilege	3656	chrome.exe
Token: SeCreatePagefilePrivilege	3656	chrome.exe
Token: SeShutdownPrivilege	3656	chrome.exe
Token: SeCreatePagefilePrivilege	3656	chrome.exe
Token: SeShutdownPrivilege	3656	chrome.exe
Token: SeCreatePagefilePrivilege	3656	chrome.exe
Token: SeShutdownPrivilege	3656	chrome.exe
Token: SeCreatePagefilePrivilege	3656	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3656	chrome.exe
3656	chrome.exe
3656	chrome.exe
5736	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 692 wrote to memory of 4312	692	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe	82
PID 692 wrote to memory of 4312	692	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe	82
PID 692 wrote to memory of 3656	692	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe	83
PID 692 wrote to memory of 3656	692	2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe	83
PID 3656 wrote to memory of 3628	3656	chrome.exe	84
PID 3656 wrote to memory of 3628	3656	chrome.exe	84
PID 3656 wrote to memory of 2476	3656	chrome.exe	111
PID 3656 wrote to memory of 2476	3656	chrome.exe	111
PID 3656 wrote to memory of 2476	3656	chrome.exe	111
PID 3656 wrote to memory of 2476	3656	chrome.exe	111
PID 3656 wrote to memory of 2476	3656	chrome.exe	111
PID 3656 wrote to memory of 2476	3656	chrome.exe	111
PID 3656 wrote to memory of 2476	3656	chrome.exe	111
PID 3656 wrote to memory of 2476	3656	chrome.exe	111
PID 3656 wrote to memory of 2476	3656	chrome.exe	111
PID 3656 wrote to memory of 2476	3656	chrome.exe	111
PID 3656 wrote to memory of 2476	3656	chrome.exe	111
PID 3656 wrote to memory of 2476	3656	chrome.exe	111
PID 3656 wrote to memory of 2476	3656	chrome.exe	111
PID 3656 wrote to memory of 2476	3656	chrome.exe	111
PID 3656 wrote to memory of 2476	3656	chrome.exe	111
PID 3656 wrote to memory of 2476	3656	chrome.exe	111
PID 3656 wrote to memory of 2476	3656	chrome.exe	111
PID 3656 wrote to memory of 2476	3656	chrome.exe	111
PID 3656 wrote to memory of 2476	3656	chrome.exe	111
PID 3656 wrote to memory of 2476	3656	chrome.exe	111
PID 3656 wrote to memory of 2476	3656	chrome.exe	111
PID 3656 wrote to memory of 2476	3656	chrome.exe	111
PID 3656 wrote to memory of 2476	3656	chrome.exe	111
PID 3656 wrote to memory of 2476	3656	chrome.exe	111
PID 3656 wrote to memory of 2476	3656	chrome.exe	111
PID 3656 wrote to memory of 2476	3656	chrome.exe	111
PID 3656 wrote to memory of 2476	3656	chrome.exe	111
PID 3656 wrote to memory of 2476	3656	chrome.exe	111
PID 3656 wrote to memory of 2476	3656	chrome.exe	111
PID 3656 wrote to memory of 2476	3656	chrome.exe	111
PID 3656 wrote to memory of 2476	3656	chrome.exe	111
PID 3656 wrote to memory of 3440	3656	chrome.exe	112
PID 3656 wrote to memory of 3440	3656	chrome.exe	112
PID 3656 wrote to memory of 3908	3656	chrome.exe	113
PID 3656 wrote to memory of 3908	3656	chrome.exe	113
PID 3656 wrote to memory of 3908	3656	chrome.exe	113
PID 3656 wrote to memory of 3908	3656	chrome.exe	113
PID 3656 wrote to memory of 3908	3656	chrome.exe	113
PID 3656 wrote to memory of 3908	3656	chrome.exe	113
PID 3656 wrote to memory of 3908	3656	chrome.exe	113
PID 3656 wrote to memory of 3908	3656	chrome.exe	113
PID 3656 wrote to memory of 3908	3656	chrome.exe	113
PID 3656 wrote to memory of 3908	3656	chrome.exe	113
PID 3656 wrote to memory of 3908	3656	chrome.exe	113
PID 3656 wrote to memory of 3908	3656	chrome.exe	113
PID 3656 wrote to memory of 3908	3656	chrome.exe	113
PID 3656 wrote to memory of 3908	3656	chrome.exe	113
PID 3656 wrote to memory of 3908	3656	chrome.exe	113
PID 3656 wrote to memory of 3908	3656	chrome.exe	113
PID 3656 wrote to memory of 3908	3656	chrome.exe	113
PID 3656 wrote to memory of 3908	3656	chrome.exe	113
PID 3656 wrote to memory of 3908	3656	chrome.exe	113
PID 3656 wrote to memory of 3908	3656	chrome.exe	113
PID 3656 wrote to memory of 3908	3656	chrome.exe	113
PID 3656 wrote to memory of 3908	3656	chrome.exe	113
PID 3656 wrote to memory of 3908	3656	chrome.exe	113
PID 3656 wrote to memory of 3908	3656	chrome.exe	113
PID 3656 wrote to memory of 3908	3656	chrome.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:692
- C:\Users\Admin\AppData\Local\Temp\2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-07_fb810d111c776bab9f0a5e5c766499e8_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff97d54ab58,0x7ff97d54ab68,0x7ff97d54ab78
    3⤵
    PID:3628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1908,i,1448838736606588722,4115682148343245481,131072 /prefetch:2
    3⤵
    PID:2476
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1908,i,1448838736606588722,4115682148343245481,131072 /prefetch:8
    3⤵
    PID:3440
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2196 --field-trial-handle=1908,i,1448838736606588722,4115682148343245481,131072 /prefetch:8
    3⤵
    PID:3908
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1908,i,1448838736606588722,4115682148343245481,131072 /prefetch:1
    3⤵
    PID:2664
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3104 --field-trial-handle=1908,i,1448838736606588722,4115682148343245481,131072 /prefetch:1
    3⤵
    PID:4716
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4324 --field-trial-handle=1908,i,1448838736606588722,4115682148343245481,131072 /prefetch:1
    3⤵
    PID:5388
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4524 --field-trial-handle=1908,i,1448838736606588722,4115682148343245481,131072 /prefetch:8
    3⤵
    PID:5512
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4664 --field-trial-handle=1908,i,1448838736606588722,4115682148343245481,131072 /prefetch:8
    3⤵
    PID:5544
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3904 --field-trial-handle=1908,i,1448838736606588722,4115682148343245481,131072 /prefetch:8
    3⤵
    PID:4228
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 --field-trial-handle=1908,i,1448838736606588722,4115682148343245481,131072 /prefetch:8
    3⤵
    PID:5240
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5308
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5576
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5736
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x2a4,0x2a8,0x2ac,0x2a0,0x2b0,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5752
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 --field-trial-handle=1908,i,1448838736606588722,4115682148343245481,131072 /prefetch:8
    3⤵
    PID:5356
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1892 --field-trial-handle=1908,i,1448838736606588722,4115682148343245481,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6048

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2788

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1212

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2420

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:704

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2676

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1096

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1528

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:816

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1860

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2712

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4120

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4672

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4504

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1928

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3904

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3608

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4700

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2512

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4352
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5960
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:6120

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
PID:4228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b5a625fecfa7360f30314b5365834f69

SHA1
f83a8969dc76f3db4022d58ba5d18807320ff89f

SHA256
c2afd2873eeb8e65b4a4d704eabb126115e885c43461a808d83970b3c65dc362

SHA512
ccabd0b0c32ee5d7e7bcf393b18a40d925079afdaff2c43da299401f45e25df01557892bb884b461260ed70ef4b61076e8d8484b496e262781884db8eb933150

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
201dcf8931cff0a01643c0a4988b372f

SHA1
e2b69bb08eb604e815811fe97ce6ce6ac28deb52

SHA256
31ef64eac8cee1a132287edab25b123ae222d127c4d8e234fc464866823e4d54

SHA512
b42cb6433f65dbd71a4fa75abec0161b9cb2ec5d493632f4da915e860b62c156960fd652af526cd71ca2b135beaa5239744773d4e8f48e7d5b1a8c7a13a54b61

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
38e5ed52af9c412545cf889406d5fc9c

SHA1
ee607ab100b0a26783fd7bb8eae88c78c6210539

SHA256
1a1f2d5c03a615d94d3eae87bad2f89cdffdc074bc5df76886646f51f4e18500

SHA512
b9a6ab8e247fe8a6f56c8c2cc31e904edd99cd6967ba506289a955fbbc9795c30503a0f5d0840816de27624acabc032510498498da4185870523d833fb9ee284

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
8d7327257dd6cdb06264a5623703ddc0

SHA1
a0d53a86d3c3cc461216740aeb0ba4cdf9cf7904

SHA256
3c38a108f6c4395b00acfd0b6337b994d1f116488229edb142bc2ad39450e563

SHA512
2889c262ed67221c1c92ea6ef56989963b83a4a8223cf07afba76d4721cc26443213094ca521e56aecf23e76a574d5c4c14574aeb50934928d8970c348225ec3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
1700b90e399d44fb47b0096212410c3c

SHA1
1fd103b47308b1b311f97ea7192f40dffe75cb35

SHA256
415fa333cfebbfe147724990ce14f96baa0f7e712d23346de744be1c2a8b1717

SHA512
2d4c13a1fbc751ec84187068174c4fcda02c6213f2b9ec1d64509d2aaa8324ebaf797690aae2c22d06990722c889f09650fabf61c31015d05defbc9c83b6294b

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\810a12cb-83bc-4b32-b2d3-32304b1cd52e.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
23e6ef5a90e33c22bae14f76f2684f3a

SHA1
77c72b67f257c2dde499789fd62a0dc0503f3f21

SHA256
62d7beeb501a1dcd8ce49a2f96b3346f4a7823c6f5c47dac0e6dc6e486801790

SHA512
23be0240146ba8d857fc8d37d77eb722066065877d1f698f0d3e185fcdae3daf9e1b2580a1db839c1356a45b599996d5acc83fda2af36840d3a8748684df5122

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e12e4a949d10e3a387c6d91fd006841d

SHA1
787293ba2c3b8fa4fc5f807acbb4007585b269ea

SHA256
13343327411ce7e50aa41280624b4e93f7b85dffa4b6d6dc94b2bff07959f49a

SHA512
f8a5820fe9d25ee49ab860204b1951c0962c206d410d5571239aaabb3ab865c9e8a8a624cac0d21ed81cabff6447cdfdee5ce670e02b6716b5f6644f59186d65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
2d23b2117703504f5cfb27be7d98e5b0

SHA1
5aa4e51c197f09aa625e48d792babecf500542c3

SHA256
204e50ef757e69c08ae746304795a116c845fee6b0653b7666b89a216c5b38cf

SHA512
f8a103496b5b769d85e1515b262718373ddf9131c7b3b57f04180eea30a1c1d0fc9835c599c4789e561b928af577a9b005eb1935377dca4c1da4f8f1e2f4f191

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
82da29d9582273dba1236285a45af208

SHA1
a8b87195228da963e8c39965250da019359baef5

SHA256
738b9103f5b0c3d5a11678ef57ee5829e861cfae975d47c143634a8a9c9239e1

SHA512
0926168be1d928d887fb97d311c784a13b614ececab52a4b8daf70f1de73079dd16bed44ff462cce0db087a08180e06de2d31e6c87e3e19fd1c32dd2de922c41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe578388.TMP

Filesize
2KB

MD5
8441fa327ce1f6c12f371a1535e655be

SHA1
7ccca62179f1eb9a2d47c3886ad8ad4bf5b15071

SHA256
975c8308bab1dce91143c9ad18effdd216bc367fccb3195ec2d4fd50177d2158

SHA512
986088d4595dc5a9e166ecc0b439a878a24d512f236b2756e377050c0cc7423143d3aaa3033ba5163b28fe8551313ff985d6df2ab109117186e878ca4a98d0a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
f7e6d41bfd0096dac6b4a9eac08d8219

SHA1
37e4190794b6792f4d6634ce963281561ba39952

SHA256
68d0143aca9263add5fd4a0458714fb63335ddfbbdd49fce8587745fc4312cd8

SHA512
1adad3d5769777253e807e63cbd4816bcf73e763c1756b29c19d0984e97b629eddb0b76c242f5c8fadf34c19fe0e6eb65724228c5590e610ccbb923843a8b44d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
263KB

MD5
9a110be95e95bd946373c12e163b0d17

SHA1
48d19c70a00c293b389fb6ffba4cff2e7f34f9f9

SHA256
0e1148fdf031e7654f8e14bb5120f5bf8281504860a4edff53a79a568197bc69

SHA512
19ddfab6790e7aa72c0704be6433ed9e7cbc3d55de0415e4c81eadc24115336eebee53955413cf6aac51559c705a48c3a4ed287fba94c28676e176d9a46190df

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
93b9f10d2b9a60cad2feb799406e1e3a

SHA1
435373d3d5c267ad65241beec2db0986a0911912

SHA256
9a5d53569ba2cb52d65c1d29bfe94cea2fac737e18f0a11fc05f8003e53e03a8

SHA512
eaea5daecc5c277ba3ea6e075147dfc5304e54220c4a719ca6bf08f5efd52a9924c87e428b9dd2ca00ddb0ee2328cc0b2501d2d0cd5797f925912fb5d24d213a

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
9KB

MD5
e1ee487964843271ac53bf3043fe13df

SHA1
eea277762aab696371788c2dcc95b0dd3fdc026b

SHA256
5bbf79733554f03d90d9d9b73946526ff4901424b48d280e13f6af1c71bc884f

SHA512
ef8734fa34f687d73aab5cf4632149413c626cb21ef799acbec40eceeaa88263e125a4662adf0dba752f2facea6069f88263fcc0e8c3c0ed8aca1f73247a8049

Download Submit
C:\Users\Admin\AppData\Roaming\93e50129293b476c.bin

Filesize
12KB

MD5
cc0365a3d2871ecacabba6aecb7369be

SHA1
a82e7a3243e199e9f3d0826412b9820e1776feb0

SHA256
14248d2bd2796c7114715bc057e059067c64b29fb5fade4d38f7cbbe935f070e

SHA512
6b66a2310d914aae3a6e2be58ee356d58589e8735122c50f3a76a1efb089b538d4a24dc9be2857a51c2c22d4540f82dd2962927a65c762e00c1547327b88aad6

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
1d477ecc2f04d114e7b4358246c95da4

SHA1
bd2e97640636846ce8de48c3fe34c59a46b497c6

SHA256
1cf2eac4d26613dd3169ef53d43965dbdc9c21201d45caef031bbedf7e56f50e

SHA512
0b4bc2d84bf46d9060125dd2a2e9a0e9a45e38ffee7db666c3b63c61c6a1a50160e08fc6abcde199842e801bcfe75b6d535aacfad343a248fd9a6faa61847339

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
f48bac3c50ef47bb48b65c1a0f6e039d

SHA1
26939124dac6d41af748e3656e5bf185a497271a

SHA256
1ad2962759187a8edd2748d877137f72bc1c437f9ebc0f3699622feecac95197

SHA512
1c71e0cb296f92d48fae3a55dd35158d5a26711c6d3e6c9c4453d9b1131ba7bcad1d36e3460d757eea062bc9198844403fed066da7f0dcf31d3afb26a6a81f7d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
8a904689c341ed79b867775539273d1c

SHA1
54a49785f3729861d0ccf2c6d8088294747598a7

SHA256
3cf7e0ef6d0d1a6afb38fecba3fd2696b47cfd6ca00d13dc0de77cd865d68449

SHA512
e99baf3d002bc6718e9fe8837831d3b800f66cf062148f7382be523283f1d51a148050bdac644a510e795e351ee653637e957200073bea1fd224572dc3f63889

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
dffa2c0f6a6c8c6386a52b88feba69ef

SHA1
3f43d9af8e74f733028bc2020f962b670f9a9a1f

SHA256
6f1da4e079d5ac6fe234d3fb3207fe420a16c8af48ca6db58fa0b8529f364984

SHA512
e6ad94ae67fca3acf5af3cd9d352269c92b66a3289c293a22902200f6c31abeb26be74c4ae46d10286f08a4fd3c3ff4466ecc10a0ea6a5e7eea41ab6e26b3f54

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
325df0e5f2c4d144f3926b0f73922942

SHA1
f319de1179dbaf4407dfdf465ac38e6a416b9335

SHA256
ca8cfa3ac1ec93491a69bc367ed7e2fb19630c572199d86f4f3f9a44e9e220b6

SHA512
03d7d5f134357b648fa24a0ed6831cce08cacbf87e51917e565f144589bfd1b6377b682bab4ba4666c19262df7b195b2240fe6f5b0e1dda2c1c856b2af7e0162

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
8e9fe4246578e5275d7c73274e5c6005

SHA1
a4af0cfb119a47ca10794a1d07f4b8a61e427b1f

SHA256
1bff01e8a52285d4dd5bcdfb7ebc031d06841432c0d399411e8dcfcdc736fc6c

SHA512
0bfedf2975b9b18b36727511ee66b44f45153dd9aeef7b97eccaf01d64518f7ea436cb3fbed75ff11f9e731c8453124ba5d378457961fbd40fd03daa1030e7c4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
80a0d5358226fae3590dbaeb1db5ce93

SHA1
8742d94f30ac263673d4fd2f95ec17388efc01b3

SHA256
0260f05137caf2d4740da22709455ba775253244d568b9c19ae90c9255f77c2a

SHA512
9502082313f2a5dbd349f4488ea655a1e90e1b266053555ddcc8a4a6a4ef56d2ec06a736d9552e5fc6ed8de7b3ed971016d686f4462b99f22bb4b188a1c55298

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8e5a7bdc7bafdc8821d62ce00d227a42

SHA1
011134a5e843b1ee9916cd3a40e3670627511979

SHA256
99f1527576cd02693f44dfa25ac4a1186d4271b14c723feb628ed1e6a4fab6e6

SHA512
e7794b8db27c5b2fe80717a4a82e495319dd616ae817e7b5521170177bf27a92fc768444b9decfb189a2f566244fd99f57c351015dfc3448159f4aecd6546b42

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
cb86158e79658b5179009b4150018c8f

SHA1
a69805c6f74ae1f28e5e287f803e62023fd707d2

SHA256
d63e83a50571ac6728e39b1d2dc60f6e1e2e59a9287af47658f4e15ab7f9631b

SHA512
0ed766ecddf8ae7ea992ceffdc43a84d471700d50d4b2396f81dcab7cd53ef94c138e4e54920d5bc15d9d8e0985180483a20f8171bcddd1c869a616deee93563

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
707e01546b2452b4157515996063307c

SHA1
3974d9a304a59a9389c5a76c91da1f0fd25fc20a

SHA256
5de37d0c0e2870d2588efedbba454ce6809c236098c895f099ee13d87663fbc5

SHA512
2fb60164fc1351bd2d501743b9aa5a3943e13a9fd5a0de811f7a744e2e5d3da2655e395ea8115097d9a91b35db7d3cc9baed755c342d746908d52cff6564d670

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
39f41d4b18af3fe78b7eddfd8fee4997

SHA1
aa4c67a0616f7f3166de70340b2078ff8b007f92

SHA256
143ad9c8d6ae6f18e753c928d4780fa7b339f97db87495072ffbddb83294db6d

SHA512
bd63bad039123859d852208f7aeff6e8effb8002110b4f4488cf239d83521457d6080335591f4ab91aab833b5d060cd9fed79feaaa7c6e7950e117b8e3708062

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
283ad08d7315c47c6ca59a54a26098e7

SHA1
e6de6f1a54311467a2ec9534f659f404d0dfbf02

SHA256
ca37507c2fb366b2438673d63b24431a044217b5fc923c4c2c6113d94fa6238d

SHA512
bd3b002129e627bebc896cb974a45264bd18546e5d29b60514bc5a14110e23b053b5f70f3d11942b2cbad620a2a7336a4c69ce4c47303a02df087ddf2f4e9553

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
82ff098cdf694dd571de060c34df2ae5

SHA1
8cdc3c746489e48373036f86c92060f6355417c1

SHA256
944f0e14e6a12f6a9c171b812ce90d1d0ad835d48e64060b61c8c8debfd1f973

SHA512
afa5ea96daf023918bee9547d7d175dc67d6b1a0a82313840a0a3ff875f68105b84c38de1868aae8de82564582babc4853af5674383dd1d7da2c18246ea6f493

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
561fda33574e0122c8facc037cffa970

SHA1
3060fb403d24ec96dc68ea66f2a0b1d049fffcee

SHA256
c7f333b3432f6b238d61e0689fe0ef1749fbe646884ff777c5467e6c0c9477ef

SHA512
ad0b57823a96ce6f9fd01fa16b3d407253ca02648a0a150f6eb54a94e6883aa27cbbab33293c58aea62b827864909f0a97cf248b8a9d1266b6b50abcbba84a94

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
a37e540ebbd7f3c86ee601f5b1604b83

SHA1
b325ff513c95b41d5e4a685f4c82c9da4a093943

SHA256
5cf243bf7d1f07439c738986789fd04d6654ac0ac9727ea6b26c87d08487d83c

SHA512
e8dc936f927a89d8d4b19df7436aeb6d7a0a4918ea89837a1d49c7d00d750d5e2b66c333f6bbe8d495060b2d099f4b22f54f96819db3b9d397d6b3358e164253

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
d1a8fef2340b7df38532c189bad520aa

SHA1
d9ffb818d29a08abb93bcf1b50e1bede1a4d651a

SHA256
c1abfdbf010dcc84dbcdcc8463a977f6f090e27459fc6028bd79bac1ce3aac32

SHA512
4d4c5edc1ec50479945aaad3c1af23cf2f85a0db0845b165215e5fef00fa7ad818385e7c146f3e9320a62a1ca4366d7aa3d2dbe7a10cf22f5da2e59c08e57651

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
d44b3d63a10c08e2b27e95363d9ec419

SHA1
44de7aeb42f3a79a18675e468f1adbd8a4c77fef

SHA256
36e60f23cd7dd09b4a7a8efa65735cf8a3ee5949aed470ed3a844687056a613a

SHA512
1c8dd4a81f1c7faf8dbe8cf0f89efe1611ed246044b928984e3adaef5e2a10233eabc425846da7bfbedc42e135c3295b6a870639f87404be1bcd3fc9fa7d2294

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
bdbfe5b7867bae8b11a0cec9ada08116

SHA1
88689a0061d2fd047613f7bc1049acdb9d5a8331

SHA256
66f0997e123ebc464ac775d75b76d3efd385438205579988d7bd4813c3374b8c

SHA512
be9d99b4ed47ac0356e41de36c2c93fa2d41709dc91e87f9f19e6c54f4d053ed594c6cb778bdffe17c3469d686e6c38517894ad89fac27beee3bd6cda6a5ac96

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
440112092893b01f78caecd30d754c2c

SHA1
f91512acaa9b371b541b1d6cd789dff5f6501dd3

SHA256
fdf37f8111f0fabb5be766202a1a0b5a294818c4c448af0fec9003242123e3e6

SHA512
194c7b90414a57eb8f5ba0fc504e585ab26b2830ed0aae29cf126d5a6c4888d508c22984aeedec651c8644fb1f874fa558b2090488516b33165fe7985d2815ea

Download Submit
memory/692-22-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/692-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/692-27-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/692-0-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/692-6-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/704-73-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/704-75-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/704-427-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/704-67-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/816-314-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1096-91-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/1096-103-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1144-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1212-50-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1212-44-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1212-52-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1212-51-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1212-799-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1324-89-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1324-87-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1324-65-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1324-62-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1324-56-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1528-312-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1792-325-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1860-315-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1928-321-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2464-326-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2512-328-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2512-810-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2676-78-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2676-313-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2676-809-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2676-84-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2712-316-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2788-33-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2788-39-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2788-42-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2788-663-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3608-323-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4120-317-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4288-322-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4312-21-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4312-576-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4312-11-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/4312-19-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/4352-329-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4352-811-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4504-320-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4672-616-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4672-319-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4700-324-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5308-533-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5308-593-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5576-812-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5576-558-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5736-582-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5736-573-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5752-581-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5752-813-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download