3df641357a1030e2a909cdbb3220dd50b5706a0a0fe1ff0ffea9dd3c42c01a8f

Analysis

max time kernel
18s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2024 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
Size

5.5MB
MD5

91b1fb5241d8a458448f2512a07f58b8
SHA1

53af027bec78c453b7d8c94c82a71ddd73d3704c
SHA256

3df641357a1030e2a909cdbb3220dd50b5706a0a0fe1ff0ffea9dd3c42c01a8f
SHA512

7a0991e2ec323b88af107b96cd37eae5d05435a110f5158a365ab46535fa868fff2d573eb8d22c0ba61bd0d12e13d9bdd0ee65c3a190fdbf37065b4422b39cd2
SSDEEP

49152:OEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfX:UAI5pAdVJn9tbnR1VgBVmtqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
452	alg.exe
5104	DiagnosticsHub.StandardCollector.Service.exe
1920	fxssvc.exe
1624	elevation_service.exe
4580	elevation_service.exe
996	maintenanceservice.exe
4456	msdtc.exe
3012	OSE.EXE
3208	PerceptionSimulationService.exe
4836	perfhost.exe
4832	locator.exe
1372	SensorDataService.exe
3372	snmptrap.exe
1912	spectrum.exe
3572	ssh-agent.exe
3124	TieringEngineService.exe
4536	AgentService.exe
4008	vds.exe
1664	vssvc.exe
1592	wbengine.exe
4384	WmiApSrv.exe
636	SearchIndexer.exe
5756	chrmstp.exe
5808	chrmstp.exe
5912	chrmstp.exe
2768	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4ded42f7c3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaw.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 44 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b6405acd97b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c681d9cc97b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133623200542077703"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f2f434cb97b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000065737cb97b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1552	chrome.exe
1552	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3560	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
Token: SeTakeOwnershipPrivilege	2452	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
Token: SeAuditPrivilege	1920	fxssvc.exe
Token: SeShutdownPrivilege	1552	chrome.exe
Token: SeCreatePagefilePrivilege	1552	chrome.exe
Token: SeRestorePrivilege	3124	TieringEngineService.exe
Token: SeManageVolumePrivilege	3124	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4536	AgentService.exe
Token: SeBackupPrivilege	1664	vssvc.exe
Token: SeRestorePrivilege	1664	vssvc.exe
Token: SeAuditPrivilege	1664	vssvc.exe
Token: SeBackupPrivilege	1592	wbengine.exe
Token: SeRestorePrivilege	1592	wbengine.exe
Token: SeSecurityPrivilege	1592	wbengine.exe
Token: SeShutdownPrivilege	1552	chrome.exe
Token: SeCreatePagefilePrivilege	1552	chrome.exe
Token: SeShutdownPrivilege	1552	chrome.exe
Token: SeCreatePagefilePrivilege	1552	chrome.exe
Token: 33	636	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	636	SearchIndexer.exe
Token: SeShutdownPrivilege	1552	chrome.exe
Token: SeCreatePagefilePrivilege	1552	chrome.exe
Token: SeShutdownPrivilege	1552	chrome.exe
Token: SeCreatePagefilePrivilege	1552	chrome.exe
Token: SeShutdownPrivilege	1552	chrome.exe
Token: SeCreatePagefilePrivilege	1552	chrome.exe
Token: SeShutdownPrivilege	1552	chrome.exe
Token: SeCreatePagefilePrivilege	1552	chrome.exe
Token: SeShutdownPrivilege	1552	chrome.exe
Token: SeCreatePagefilePrivilege	1552	chrome.exe
Token: SeShutdownPrivilege	1552	chrome.exe
Token: SeCreatePagefilePrivilege	1552	chrome.exe
Token: SeShutdownPrivilege	1552	chrome.exe
Token: SeCreatePagefilePrivilege	1552	chrome.exe
Token: SeShutdownPrivilege	1552	chrome.exe
Token: SeCreatePagefilePrivilege	1552	chrome.exe
Token: SeShutdownPrivilege	1552	chrome.exe
Token: SeCreatePagefilePrivilege	1552	chrome.exe
Token: SeShutdownPrivilege	1552	chrome.exe
Token: SeCreatePagefilePrivilege	1552	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1552	chrome.exe
1552	chrome.exe
1552	chrome.exe
5912	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3560 wrote to memory of 2452	3560	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe	82
PID 3560 wrote to memory of 2452	3560	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe	82
PID 3560 wrote to memory of 1552	3560	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe	83
PID 3560 wrote to memory of 1552	3560	2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe	83
PID 1552 wrote to memory of 3488	1552	chrome.exe	84
PID 1552 wrote to memory of 3488	1552	chrome.exe	84
PID 1552 wrote to memory of 2144	1552	chrome.exe	99
PID 1552 wrote to memory of 2144	1552	chrome.exe	99
PID 1552 wrote to memory of 2144	1552	chrome.exe	99
PID 1552 wrote to memory of 2144	1552	chrome.exe	99
PID 1552 wrote to memory of 2144	1552	chrome.exe	99
PID 1552 wrote to memory of 2144	1552	chrome.exe	99
PID 1552 wrote to memory of 2144	1552	chrome.exe	99
PID 1552 wrote to memory of 2144	1552	chrome.exe	99
PID 1552 wrote to memory of 2144	1552	chrome.exe	99
PID 1552 wrote to memory of 2144	1552	chrome.exe	99
PID 1552 wrote to memory of 2144	1552	chrome.exe	99
PID 1552 wrote to memory of 2144	1552	chrome.exe	99
PID 1552 wrote to memory of 2144	1552	chrome.exe	99
PID 1552 wrote to memory of 2144	1552	chrome.exe	99
PID 1552 wrote to memory of 2144	1552	chrome.exe	99
PID 1552 wrote to memory of 2144	1552	chrome.exe	99
PID 1552 wrote to memory of 2144	1552	chrome.exe	99
PID 1552 wrote to memory of 2144	1552	chrome.exe	99
PID 1552 wrote to memory of 2144	1552	chrome.exe	99
PID 1552 wrote to memory of 2144	1552	chrome.exe	99
PID 1552 wrote to memory of 2144	1552	chrome.exe	99
PID 1552 wrote to memory of 2144	1552	chrome.exe	99
PID 1552 wrote to memory of 2144	1552	chrome.exe	99
PID 1552 wrote to memory of 2144	1552	chrome.exe	99
PID 1552 wrote to memory of 2144	1552	chrome.exe	99
PID 1552 wrote to memory of 2144	1552	chrome.exe	99
PID 1552 wrote to memory of 2144	1552	chrome.exe	99
PID 1552 wrote to memory of 2144	1552	chrome.exe	99
PID 1552 wrote to memory of 2144	1552	chrome.exe	99
PID 1552 wrote to memory of 2144	1552	chrome.exe	99
PID 1552 wrote to memory of 2144	1552	chrome.exe	99
PID 1552 wrote to memory of 2928	1552	chrome.exe	100
PID 1552 wrote to memory of 2928	1552	chrome.exe	100
PID 1552 wrote to memory of 4644	1552	chrome.exe	101
PID 1552 wrote to memory of 4644	1552	chrome.exe	101
PID 1552 wrote to memory of 4644	1552	chrome.exe	101
PID 1552 wrote to memory of 4644	1552	chrome.exe	101
PID 1552 wrote to memory of 4644	1552	chrome.exe	101
PID 1552 wrote to memory of 4644	1552	chrome.exe	101
PID 1552 wrote to memory of 4644	1552	chrome.exe	101
PID 1552 wrote to memory of 4644	1552	chrome.exe	101
PID 1552 wrote to memory of 4644	1552	chrome.exe	101
PID 1552 wrote to memory of 4644	1552	chrome.exe	101
PID 1552 wrote to memory of 4644	1552	chrome.exe	101
PID 1552 wrote to memory of 4644	1552	chrome.exe	101
PID 1552 wrote to memory of 4644	1552	chrome.exe	101
PID 1552 wrote to memory of 4644	1552	chrome.exe	101
PID 1552 wrote to memory of 4644	1552	chrome.exe	101
PID 1552 wrote to memory of 4644	1552	chrome.exe	101
PID 1552 wrote to memory of 4644	1552	chrome.exe	101
PID 1552 wrote to memory of 4644	1552	chrome.exe	101
PID 1552 wrote to memory of 4644	1552	chrome.exe	101
PID 1552 wrote to memory of 4644	1552	chrome.exe	101
PID 1552 wrote to memory of 4644	1552	chrome.exe	101
PID 1552 wrote to memory of 4644	1552	chrome.exe	101
PID 1552 wrote to memory of 4644	1552	chrome.exe	101
PID 1552 wrote to memory of 4644	1552	chrome.exe	101
PID 1552 wrote to memory of 4644	1552	chrome.exe	101

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3560
- C:\Users\Admin\AppData\Local\Temp\2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-08_91b1fb5241d8a458448f2512a07f58b8_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8c0a8ab58,0x7ff8c0a8ab68,0x7ff8c0a8ab78
    3⤵
    PID:3488
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1932,i,12595584942538346715,10658362176125305174,131072 /prefetch:2
    3⤵
    PID:2144
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 --field-trial-handle=1932,i,12595584942538346715,10658362176125305174,131072 /prefetch:8
    3⤵
    PID:2928
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2268 --field-trial-handle=1932,i,12595584942538346715,10658362176125305174,131072 /prefetch:8
    3⤵
    PID:4644
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2784 --field-trial-handle=1932,i,12595584942538346715,10658362176125305174,131072 /prefetch:1
    3⤵
    PID:3096
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2792 --field-trial-handle=1932,i,12595584942538346715,10658362176125305174,131072 /prefetch:1
    3⤵
    PID:1776
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4228 --field-trial-handle=1932,i,12595584942538346715,10658362176125305174,131072 /prefetch:1
    3⤵
    PID:5240
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4440 --field-trial-handle=1932,i,12595584942538346715,10658362176125305174,131072 /prefetch:8
    3⤵
    PID:5492
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4588 --field-trial-handle=1932,i,12595584942538346715,10658362176125305174,131072 /prefetch:8
    3⤵
    PID:5516
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4800 --field-trial-handle=1932,i,12595584942538346715,10658362176125305174,131072 /prefetch:8
    3⤵
    PID:2440
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4420 --field-trial-handle=1932,i,12595584942538346715,10658362176125305174,131072 /prefetch:8
    3⤵
    PID:5476
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5756
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5808
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5912
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x274,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:2768
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4172 --field-trial-handle=1932,i,12595584942538346715,10658362176125305174,131072 /prefetch:8
    3⤵
    PID:232
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3920 --field-trial-handle=1932,i,12595584942538346715,10658362176125305174,131072 /prefetch:8
    3⤵
    PID:652
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 --field-trial-handle=1932,i,12595584942538346715,10658362176125305174,131072 /prefetch:8
    3⤵
    PID:4860
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4436 --field-trial-handle=1932,i,12595584942538346715,10658362176125305174,131072 /prefetch:8
    3⤵
    PID:6112
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4048 --field-trial-handle=1932,i,12595584942538346715,10658362176125305174,131072 /prefetch:2
    3⤵
    PID:5568

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:452

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5104

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3308

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1624

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4580

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:996

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4456

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3012

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3208

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4836

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4832

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1372

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3372

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1912

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3708

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3124

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4536

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4008

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4384

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:636
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5308
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
6f12c57b3bb371eee882a35f7c522073

SHA1
f0918053254239dac552edf8766d008e8beb11bf

SHA256
ae267a47c84a1e76e6caf3a5e456f326468bac660668dc375f4f68a105916ec6

SHA512
1a873944a17f8fdb35306f70c770d90616b076170d41240d404109fe6de3fd534a04fe5e5e7ab903035a17b61f505c94354d8d2c18b1f7f0f3ea7e73ca59992b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
3bd952d0a893f1534885351d0ac53514

SHA1
8636ee2920f34f8be25d6638b0c368a7b16a34dd

SHA256
fdac113bbb3ccff56a82f29639c67b7cbaf06cbbe6d271429d2b370513023e24

SHA512
0db0f1f16d61cac307cc7e9ffdeeaf69a2084e9c62feba3a7df53dd3aac48bd61f34c6ca61937d440f20bc806cfedee5bfa0eed4d16d3f458e60325366b625dd

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
32591babf766e3384211542597476a51

SHA1
b2bcc44c2eba2b20fd4c581f57e9c115625f2c4e

SHA256
7910f6f3c7822a17eab840357a22ac3cd5ef05346596629164fbaebb3ff2fcba

SHA512
26aafb120b32435505d7e62d6f3485d70844d4b92d1d5b5e66f1f67f2836c0637aa48a1b260262997825771f5f6e4fd17316c4102da73a48bebcd4a9ab37161a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
9a02292de4e1dd48c9d394931fa2ca36

SHA1
425e0330d0bae9a21d1b0db2cb17ec1a6c7b0aa2

SHA256
a5e5a0e660051c9191bbb49f469ce6cdeafcf02961fd541a824f020693b43548

SHA512
c4449f725b1ab964cdedd62fa22c2635c1e645bfabe7badb67a6fb0216873e11b15af0ca072fc89b6b8be029c0bbf4e26a84bde3352cb991e263829955e2157f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
9afccf5a1d3e8f2cc8d032be181243ed

SHA1
a5bd7003ea8eefbb2bb0f8c4804a614372e98f64

SHA256
d881356c2ec006adbd72e91a2393b5928a3f33feb2d06c24ae217fca5b0a3b47

SHA512
1bd0e1892165ca3f67256d527cf277037ff6884db76c67219fc54e97dc5e174c92adf3c4e070020a46d34d176dbec1d184694b5538ee2119770cdabf8ea00c42

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\76000980-2aee-4911-b3eb-0c1f9413a1be.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
757f9692a70d6d6f226ba652bbcffe53

SHA1
771e76fc92d2bf676b3c8e3459ab1a2a1257ff5b

SHA256
d0c09cff1833071e93cda9a4b8141a154dba5964db2c6d773ea98625860d13ad

SHA512
79580dd7eb264967e0f97d0676ba2fcf0c99943681cad40e657e8e246df1b956f6daeb4585c5913ca3a93fdfd768933730a9a97a9018efa33c829ab1dea7a150

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2185b490cc623805605d20729844b551

SHA1
029666008cf40389a1c60451b56a2015632eede7

SHA256
e06846f3c4046034fef71166a7361b7a5b4d5880414b57a61e1d237df985b402

SHA512
5eb2c3607b1bd3b86bdf065cb4c11a150f3b0b9f1b116346416076d34a1da1168fb82301494dbd073a4fcc932be18fb5e77a358854b72cdb914db3a0afe3253c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b061bcd7f3bbd5a5f238e5fbf5bc968e

SHA1
8ce10bce694cfddaf177c3ffc58a99e464fdda2f

SHA256
1038aefb20a3d55916e28a88e6d3e5c48b92cb6da1bdcdea495dd2259fb65e8a

SHA512
f4120313f0ea7ae17d0c8c15e894e79a8fd2764a8805248b2720d1996af1e350b642599be66428ecede4db2db5cbe01cfa2ef5441bedce0a1fbb71cfbd212d32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
f8ab43b54c7916167ad80f1a3b708098

SHA1
3e52cf728e26472189d03a4408d24bbdac03d439

SHA256
e07b9cb9bab975db63ae5b7aefa9942a48bc24d5a7846065e3555ff0dd95647b

SHA512
7d71920e41b49498b1274c9664b1f127f18642ba5a9a4f1a4816b241f5e1d8507eb2d8a8609abc10b5d1cb2133943433d8b4c6acf2a24cc15f14b2d768e9e7f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e128ae2ce08951ec402201500710a721

SHA1
7cd8d03b9f1be6b86c4b640177494b8da07bafd0

SHA256
1eb0538302f765edde5559152321189abf20122150e9e5a11dbc21d22416e69b

SHA512
f642196063292db5306057cde1e55aad6bff38ee48833dde376862ba70b9f7694b53df58613235c8e9e6adeb4d565420bd1db5a568f47c25e26b32849382717a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe577e38.TMP

Filesize
2KB

MD5
6c38709f2b92b4197d45f6df3df81cb9

SHA1
92d1adb3512f085dba8c03ea68d926704ebbbda3

SHA256
d5bb9e1c53b6d6dd67dcfdf3963d7d8b0dd3094ce6a86851e8b8ab7d3d6f235a

SHA512
3cc01f22a75c283dd55a4fc9b02211776bc1246ae7787ffeee21a25d0ea8ddaafbb70cbe8d0976356fcff59c9be8e9c178c15264d2a44df3653bb1e03fe41bf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
bad51c249309b23e6df2aaadc46f715a

SHA1
1cf52e0248cf6836789b14e8ba433d277f57ec79

SHA256
510d361605bcec55ba4ac7032f4448ee5bf0aad76e2a59d9ff4936615101d839

SHA512
610273c7162aa197e25e9a22c4f707a643929c7b9b2724670712c7782cd5ea167177253896040a7256eee5a6cc4d9a017a14e969b70a377454fc3f28ab8c5bc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
285KB

MD5
83acdf911fd5510f5020f7147119b794

SHA1
074d8df7a529db41d65451f7fd5d13e9673abefe

SHA256
37f71ac04cf7d662b52b29b10876c5711f41226759f29abec517a302dd4341ff

SHA512
358b186b82c34236c510a6e3920296eb98029ec2f0da38ab2d8cf493205af64082f3624f0bc1c6737092e2a2e2e492b0c882527ce8f419966d98286ed7afe326

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
45ba2e5a1d4cd693e069797a09a85ce8

SHA1
a7834efbc9599971bd2bed603ae496703b5dee28

SHA256
41d0f2f8aa8a743e07956516aa70677e7d4e78a68ff885c934fa5e679ed2b724

SHA512
2ef76ac32896f3d27ef1b6555e8af58cc22776a3a820f5055481281818ac397982020a0ab27da9a4c4ebfa86ef34a7ba4be0c0024d6e2fed1e9dd617b54579d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
265KB

MD5
6954475cadb9554b1d095217fdd415e7

SHA1
3371cac09fa51c3ee4bd2c550d396295cb471db4

SHA256
6b270ad9714719aa416381fb68b74c443ba6f1f2e98410e0758b5287f21eb83d

SHA512
24e4b19c3912fecc8a107a8b7885001fd43000bb379e042876fab6c6f8adb8f1739d7f7ee32b1d74444b4188c2d0774b4ba7d66a5a2d6f5bf62e93297ea5a898

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
265KB

MD5
71ed11fab4a8ab24005ba22472f657ba

SHA1
ff56630c9b94885f435927aacb3abc0bf7457bc7

SHA256
451be5d3ded374dcc736a7fd2763deed15ae8fac10d70a8f627b861b14ec362f

SHA512
d95dc61435b1cb9d21fbccdc21c5af2c3363bfa2a762c7775e82fe6146f496f41c0578d3b1a1264930c80509f579887ebe5d080d0f35d70e43a407b7c55151d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
91KB

MD5
31b5ddda33d3bf0decc72430adcfc8a0

SHA1
03426e822a45c7c38245333e040ff64b6648f9bf

SHA256
1bfe9915b8283787dde0052b833c6facae7da2b6fb8867d6a4835e5c63222ba4

SHA512
4e4457cd310d8cbaff1338d9efa389a9853b7b4149e914f797733ad1cce1ded452d7f808577383fe184d88b8848906c65badea2aea4606bd88cbfbd512fbf348

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57f397.TMP

Filesize
88KB

MD5
223ce012f265e9bf9addc06bbcf6bba8

SHA1
c834b1e521fd6287e24b7d0cb18d54c2d027218f

SHA256
3d6266f11779176250def1bded2dd4066ab249aac93800a6f4764991a98b90c7

SHA512
4ab994f3994ec2d59ab2b454e4b3cab6c3737593e1386f82ee167263baa1e21a191c83416a726761383a5eba7a469ae3005d201c0e73163c3388e9c3f4f19252

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
d2074560a3b768af9657e4e26bfa5919

SHA1
263f73c258f19b8cc7d0a69b8ada0543d4174b1e

SHA256
1c98cdc989997acbd0c298f32266b0dc6ad25374818cb3c41c9c4e391e9ebfd9

SHA512
6b1a890adf21d497007c68f837453963412869b1b220a63b5321fdb41b50366b12924ec29ccea1d22f06874530b1291f11dd26a249b4d8177d06e273c4fc66ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
8a74e2581fff4df5866ef6b5fbf0e3da

SHA1
682c72c158e939610b5fca3027e72e20defb7be6

SHA256
c86b345121513f4487b55f3f10799187856eb2d0aff2f551fdc9dc614078d19c

SHA512
6450d9e0f6e2f89b8b6919412514afc9a5d787f1531e8bc7e9f2a987cc6a2b094b9ac16699116c9f23a873358b2b0da2ae3676fb48f195ee8ab73b9b2bbc61f3

Download Submit
C:\Users\Admin\AppData\Roaming\4ded42f7c3136770.bin

Filesize
12KB

MD5
a3e5025eb55b60e45ae24b62d7f3d05c

SHA1
37e9c526c5b38fdae79422ad96de70b5fce6d0e1

SHA256
2ecc5f64b7efc902d5d90a36184edeaf4416daf98710435808f6e887e4ef222e

SHA512
c37da87953cc77e68912264ac7d1eebdb2caa1b2f0bab987be4cd44593909180b3567e8f7e145eaaaa37ab7dac176f246abcf1c0372ecd70908804ad9d5948f8

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
2f2b5739c78e49698910236bc7e6e50f

SHA1
fe39af86c6805f4e147f2d1272284cfc3cd2a7d2

SHA256
3e01ca624f9c5ac956a955617b972986d0515783f949ed1a0fac91f63e3ebda6

SHA512
a104238d9be13721a035c2ba20a708193ed5acdd79cba81ef658a811b727150be0b9e4d8e679b091f10220e3b35f82e6b1957a01962255c0b84f3b43fc0700f1

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
60564e9b67cc8179dab09c15841a5786

SHA1
36144ce6a0e4c5bd232dd1b60b067c2b61c1436d

SHA256
af374c5676229ef4128087e2a0e6f996b05e5459bc58ade93c1b690083fc4011

SHA512
7132ee8754bd169cb6cf1ad580a5bc31684f6019ce4a0b7bdb4030fb1e87057d54baf7210382c62552dd1337b3abb747ab3100e1ff9f5d193f9510445e6c0aed

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
36de33523da2b8d4b6b87f30f4c2a365

SHA1
b96f7b6ca86ddbdc31840c167a551ee24be94d46

SHA256
089b8c9dc3af4859b1ff094956bcd2ced73b0b40fd1d3cc86ec8da4145a55f8f

SHA512
60ee6451a83c9f9ee5a9f84cccc4a15a7313e4250ebde5ff5d5f38e1158d3279854c2955e0b188db588e9381daef623d5210e5bf66f200b736bbc70da7ba1960

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
748847e386bc79c6c420067ecb6b8f96

SHA1
53614bf7014a173c62461cf7f465c6c6f81244b2

SHA256
19a77f148596ff2c18e09d72ebdf0ad4f880b79c91e25ad34d275a5ff464a6fc

SHA512
58fd48013e0e145e20af07d0660c04ebcb2055891b710b43ac6c4b1cd9ac6730e02091e9824143357011afd44aedcdd41d6331f615385bdb72ecd14e4cc29506

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
28fd1a860e64e36fd67bbfa76b30567c

SHA1
3c567bb41ac820580259071d7d22234f1c0868db

SHA256
dede36f638d82d5871410d2415401c38096b4fb4b2ba601126aba0b0782c7a98

SHA512
54f2fd2389207a4fa92eca9f7a88cb2668b3cd2fd1fff9c34e2169bdb73e0d35a0a445abb191908d3ce0a365494e5516d20637b954082fad605cfaa8aaad8d0a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
9c73fc1abf98520d7268e12cde19ba26

SHA1
63b5bad9754526cc4548fc007076f4abb6674735

SHA256
c7394ec67aafd38ab42b4435c175d3eefe32d1d91c8339e370474614de52360d

SHA512
fbc63a80fdb45a89cbf92525cf99c3e869f4f585b922fe539812f7975bcd01969fd264b50c3a65d5c9cbceed14ad380b3e5bd99a24962f8637dd1b79d5ad57cb

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
02b858fb8ff2de81f5032c7607483974

SHA1
6981a7774b2c59cadefab3597af799afb7b9d9d7

SHA256
105a6916a4834916b0fb4ae5d94f86716dd1edfd9e009500ca92b4acae3a5516

SHA512
f0deed68687b258b21938374b9f8d2b14a5762db8e50f0b9eebe3e20fb4c5c84b272b8e819f430d1a0d0d0a2978d48dd4703e13e9eee5dfddcc8962dbed66184

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9013e8ba4b9f04795abeb402ec4140ad

SHA1
8db1cd2a5b881c29b6d5d6d4eb6e39d9b7aacef9

SHA256
9230f4585d239de929c92e0316361482460e26933ee4a26f46de343debec1f2a

SHA512
8f934b320755e5e9409641ad7af4ddd1a89645b6c0e825f0a4a604c2465a38b8f998005baf7698f9050ea2cde952c78dd6e63ede2c61609648c1c24f5137aadc

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b1acdccbef2154750bda4b71c2c4f531

SHA1
98c6e8f9fc266febad42e16effacb0dcdfe951a3

SHA256
3c9576fc21aa50800f1247f2c9879dcdf235d37fc21937500a0f59a12da99253

SHA512
6101f22927826b7eb9201770acd0c535f98abfaebbf7c7a64616e3ea93ca342956a7cdf98f54574ec8f7aca21670176ad353504e2da9749f5d4a88527ca2675e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
724040aa94474b98f8b7cc1a7a096131

SHA1
5d3c8bfcf192866a6122738ab47b7a8a68ea66cd

SHA256
6f21e384d0853684da5bb33c389ce333e66dfe9770b741c5474d5f004751ac60

SHA512
d5a171ebcb5bfaf17c325c53c7fc47ae9cd83947a3f4b5788d95275eebff274721ea23295e23e524aba9bae617204c3211390111a4f60a77b9e3d5ab61aef08d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
e95c09ed5e141bfefcdbb18b3a3dcfcc

SHA1
d1a765d267a0cec11dec615c6fbd470787f8cb80

SHA256
8805ab18bb9e73847ad53514e42f871558ca7fcd590f0d2ab7e3542b947a2ae6

SHA512
cb77e425fd2c67884c9efa4f6374232d441bf328e6b2d87238d7119fbaa3700d7f9db844681217355778b9da769ecdce541575360005c2b3a0550dbe72164543

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3687212fed510f2d7e786959598dc775

SHA1
bd4ab14f9d699cb184f3fbd160a06668f37b01b0

SHA256
fad1b2383b796e5e3e9e7e4edae4e9dc2308fd2fe642b8c61ccd0bae3d9bc63e

SHA512
d31dc643d84e65f5db98c5d9e14352c35a7b864b99d0b671bd470ef164123064c9fc539a7f600df1956575956eff1f4c164bc23eb4a43e7772a62728e2c99d92

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
877e77cf96357b3d8d7afd2c04a5c8f1

SHA1
b2607f0ccddaa6287a9865978a58634230461f56

SHA256
fa6872f5128ae63bde923380f9c4157e76499750e6e82d3d6bc9b2f92a69bc82

SHA512
7008734dabeee9bd8a3145f6ec609652b0a322674072b299bdcce0eefbef8b3cea04dc1dbec96e3aef0b051f610829e8ce2c511a466eb31569330a105b8f941e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
8d3d3c33df30d4dadf2d9fc475cff1c2

SHA1
1c49b7eaa332d5782ff9678569bac4db087ab121

SHA256
25e9c336a3c7742d248c7e539bd6247b8d15ab27e66af284eb3d3cce5ecb4450

SHA512
c1abe94b3a3feea3dbda2b7f8901aa136a1fc7463da72bdc5d98e397172ee2baa76eb4ec83b150fefa03e8ee18dcc69c62a961dc583c6c9e85529098592690be

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
132936308ca57e2195b2d511ac7a7d49

SHA1
033cfc4e44ea3e4b516d044734aef735bd5bba2c

SHA256
96d013f801a8766bb8b0388e62ccf77595082e990ac3e39057693a44a62ea9d6

SHA512
9d983807c07fa002a92c0b8f393a4bd4f60bca8ac9da60de689d2f434c3632ab8c7651e6bd359b65a2e135110973668bd80dfc8d2e89f5e064c63269c958fb86

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
41097107876bf07d737d585c53e01c7e

SHA1
31af4c7747ad3d5a8d3a4ad67dc6e6a91a2b9d41

SHA256
5498e799e8fb99284f2bb5c3c00e7f50e2b9953116a4f231a1528d5729f94749

SHA512
ee9459408557bf068acabd535e881c3adfea74383a1559c6c63a1871675fb768ad8c214684c1cf86445c092fb91179bce513eeab031ebc226b0af237ae5ff467

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
bbb9e1d758ebcd26e6d023fbde5d5ee6

SHA1
692eb3481f7280c4a50b7802418dd2b0a6d2617f

SHA256
7ee1cd0537f4cfde0cea0abdb3dcd8c18deef6b9f8c722ca995596179105b0c7

SHA512
5a4a73162261143ea87a20c9b278c71df6c234e2d442753cd35ed1fd9292b1cad115ee2f736fa3ab8f8d4c2e889bb4794d65d4cdfb378647ab54f1b740194c4f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
68c6056493384166644c747ebe6d1997

SHA1
23b3aa7d668a9f779d74f0deccd150240821a8c3

SHA256
2bf26f6a6e2f2fa9bc96152e86f3b966accf14c5c4034f268e573bc227cfde10

SHA512
0bd0189a5b5c261398527ea37b274e9cea297d92ae2ead8bd12da5a120252d4eaec4912d083eb4e8d71441226e9034d2d8fd376744d71787b38831463d9394ed

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
8323eb783d4b3475bc1107f7b22fe30a

SHA1
8b61ba2d4ceddcce64913e45b0b3aaedba641153

SHA256
b04e4a8229ad76f418899a184586a34f1da04653efdd8f0386b76fe7282bd7c4

SHA512
a6e5fa59549dd9f848741b7c5e0e99e3efd1ac639e61a1a430fe7a62e6f13bf625fc22d619b29e9319f0bddd46eda6bd61057d4afcde7c846a72bf6e4ef79972

Download Submit
memory/452-322-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/452-27-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/452-39-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/452-38-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/636-675-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/636-329-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/996-106-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/996-93-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/996-101-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1372-207-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1372-611-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1592-325-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1624-68-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/1624-74-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/1624-77-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1624-223-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1664-324-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1664-673-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1912-219-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1912-667-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1920-57-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/1920-63-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/1920-91-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1920-66-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1920-88-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/2452-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2452-11-0x0000000002120000-0x0000000002180000-memory.dmp

Filesize
384KB

Download
memory/2452-197-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2452-20-0x0000000002120000-0x0000000002180000-memory.dmp

Filesize
384KB

Download
memory/2768-729-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2768-570-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3012-198-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3124-672-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3124-251-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3208-199-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3372-208-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3560-37-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3560-0-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/3560-6-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/3560-10-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3560-25-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/3572-250-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4008-323-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4384-328-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4384-674-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4456-635-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/4456-117-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/4536-265-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4580-80-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4580-566-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4580-86-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4580-79-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4832-201-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4836-200-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/5104-46-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/5104-54-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/5104-52-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/5756-605-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5756-540-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5808-724-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5808-545-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5912-594-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5912-569-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download