3a5d65fae87fa4fadf0b0a6247acee05e960018686e242085ce1e89a4a1ad4cd

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 01:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
Size

5.5MB
MD5

83c9d2f6baedfcf36e10fe95bde1cf23
SHA1

6abf394b217bc1e618008b7cf0e0b7f42595d059
SHA256

3a5d65fae87fa4fadf0b0a6247acee05e960018686e242085ce1e89a4a1ad4cd
SHA512

ac13547942269617bbc0937aa23f04eaab793736ec7787dcf7f22fdb08ac2ce623a2696747835468322f60331513c6a13af2c10abdd9edd6c65ed5dfde031220
SSDEEP

49152:xEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGff:1AI5pAdVJn9tbnR1VgBVm41Ms

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
32	alg.exe
868	DiagnosticsHub.StandardCollector.Service.exe
4824	fxssvc.exe
3272	elevation_service.exe
1816	elevation_service.exe
1996	maintenanceservice.exe
1152	msdtc.exe
1844	OSE.EXE
4660	PerceptionSimulationService.exe
1052	perfhost.exe
4604	locator.exe
1612	SensorDataService.exe
4864	snmptrap.exe
5100	spectrum.exe
4568	ssh-agent.exe
4620	TieringEngineService.exe
632	AgentService.exe
512	vds.exe
3592	vssvc.exe
960	wbengine.exe
1752	WmiApSrv.exe
1508	SearchIndexer.exe
6088	chrmstp.exe
4528	chrmstp.exe
5232	chrmstp.exe
5240	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\48089bf6293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{878BCDD2-1ABC-4948-8DA1-C8645DF0F833}\chrome_installer.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009afd8b959bbbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000055a3ba949bbbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000372637959bbbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c7cb45959bbbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f3019c959bbbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ced8f0959bbbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006bdee8949bbbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133625415814825242"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002365a9949bbbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4296	chrome.exe
4296	chrome.exe
6112	chrome.exe
6112	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1016	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
Token: SeTakeOwnershipPrivilege	1724	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
Token: SeAuditPrivilege	4824	fxssvc.exe
Token: SeRestorePrivilege	4620	TieringEngineService.exe
Token: SeManageVolumePrivilege	4620	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	632	AgentService.exe
Token: SeBackupPrivilege	3592	vssvc.exe
Token: SeRestorePrivilege	3592	vssvc.exe
Token: SeAuditPrivilege	3592	vssvc.exe
Token: SeBackupPrivilege	960	wbengine.exe
Token: SeRestorePrivilege	960	wbengine.exe
Token: SeSecurityPrivilege	960	wbengine.exe
Token: 33	1508	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1508	SearchIndexer.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
5232	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 1724	1016	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe	82
PID 1016 wrote to memory of 1724	1016	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe	82
PID 1016 wrote to memory of 4296	1016	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe	83
PID 1016 wrote to memory of 4296	1016	2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe	83
PID 4296 wrote to memory of 1704	4296	chrome.exe	84
PID 4296 wrote to memory of 1704	4296	chrome.exe	84
PID 4296 wrote to memory of 2236	4296	chrome.exe	111
PID 4296 wrote to memory of 2236	4296	chrome.exe	111
PID 4296 wrote to memory of 2236	4296	chrome.exe	111
PID 4296 wrote to memory of 2236	4296	chrome.exe	111
PID 4296 wrote to memory of 2236	4296	chrome.exe	111
PID 4296 wrote to memory of 2236	4296	chrome.exe	111
PID 4296 wrote to memory of 2236	4296	chrome.exe	111
PID 4296 wrote to memory of 2236	4296	chrome.exe	111
PID 4296 wrote to memory of 2236	4296	chrome.exe	111
PID 4296 wrote to memory of 2236	4296	chrome.exe	111
PID 4296 wrote to memory of 2236	4296	chrome.exe	111
PID 4296 wrote to memory of 2236	4296	chrome.exe	111
PID 4296 wrote to memory of 2236	4296	chrome.exe	111
PID 4296 wrote to memory of 2236	4296	chrome.exe	111
PID 4296 wrote to memory of 2236	4296	chrome.exe	111
PID 4296 wrote to memory of 2236	4296	chrome.exe	111
PID 4296 wrote to memory of 2236	4296	chrome.exe	111
PID 4296 wrote to memory of 2236	4296	chrome.exe	111
PID 4296 wrote to memory of 2236	4296	chrome.exe	111
PID 4296 wrote to memory of 2236	4296	chrome.exe	111
PID 4296 wrote to memory of 2236	4296	chrome.exe	111
PID 4296 wrote to memory of 2236	4296	chrome.exe	111
PID 4296 wrote to memory of 2236	4296	chrome.exe	111
PID 4296 wrote to memory of 2236	4296	chrome.exe	111
PID 4296 wrote to memory of 2236	4296	chrome.exe	111
PID 4296 wrote to memory of 2236	4296	chrome.exe	111
PID 4296 wrote to memory of 2236	4296	chrome.exe	111
PID 4296 wrote to memory of 2236	4296	chrome.exe	111
PID 4296 wrote to memory of 2236	4296	chrome.exe	111
PID 4296 wrote to memory of 2236	4296	chrome.exe	111
PID 4296 wrote to memory of 2236	4296	chrome.exe	111
PID 4296 wrote to memory of 4804	4296	chrome.exe	112
PID 4296 wrote to memory of 4804	4296	chrome.exe	112
PID 4296 wrote to memory of 1804	4296	chrome.exe	113
PID 4296 wrote to memory of 1804	4296	chrome.exe	113
PID 4296 wrote to memory of 1804	4296	chrome.exe	113
PID 4296 wrote to memory of 1804	4296	chrome.exe	113
PID 4296 wrote to memory of 1804	4296	chrome.exe	113
PID 4296 wrote to memory of 1804	4296	chrome.exe	113
PID 4296 wrote to memory of 1804	4296	chrome.exe	113
PID 4296 wrote to memory of 1804	4296	chrome.exe	113
PID 4296 wrote to memory of 1804	4296	chrome.exe	113
PID 4296 wrote to memory of 1804	4296	chrome.exe	113
PID 4296 wrote to memory of 1804	4296	chrome.exe	113
PID 4296 wrote to memory of 1804	4296	chrome.exe	113
PID 4296 wrote to memory of 1804	4296	chrome.exe	113
PID 4296 wrote to memory of 1804	4296	chrome.exe	113
PID 4296 wrote to memory of 1804	4296	chrome.exe	113
PID 4296 wrote to memory of 1804	4296	chrome.exe	113
PID 4296 wrote to memory of 1804	4296	chrome.exe	113
PID 4296 wrote to memory of 1804	4296	chrome.exe	113
PID 4296 wrote to memory of 1804	4296	chrome.exe	113
PID 4296 wrote to memory of 1804	4296	chrome.exe	113
PID 4296 wrote to memory of 1804	4296	chrome.exe	113
PID 4296 wrote to memory of 1804	4296	chrome.exe	113
PID 4296 wrote to memory of 1804	4296	chrome.exe	113
PID 4296 wrote to memory of 1804	4296	chrome.exe	113
PID 4296 wrote to memory of 1804	4296	chrome.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Users\Admin\AppData\Local\Temp\2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-11_83c9d2f6baedfcf36e10fe95bde1cf23_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb610fab58,0x7ffb610fab68,0x7ffb610fab78
    3⤵
    PID:1704
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1912,i,3443989574940589568,6726539572642024350,131072 /prefetch:2
    3⤵
    PID:2236
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1912,i,3443989574940589568,6726539572642024350,131072 /prefetch:8
    3⤵
    PID:4804
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1912,i,3443989574940589568,6726539572642024350,131072 /prefetch:8
    3⤵
    PID:1804
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1912,i,3443989574940589568,6726539572642024350,131072 /prefetch:1
    3⤵
    PID:3336
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3048 --field-trial-handle=1912,i,3443989574940589568,6726539572642024350,131072 /prefetch:1
    3⤵
    PID:2468
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4296 --field-trial-handle=1912,i,3443989574940589568,6726539572642024350,131072 /prefetch:1
    3⤵
    PID:5252
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 --field-trial-handle=1912,i,3443989574940589568,6726539572642024350,131072 /prefetch:8
    3⤵
    PID:5980
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:6088
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:4528
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5232
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5240
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4548 --field-trial-handle=1912,i,3443989574940589568,6726539572642024350,131072 /prefetch:8
    3⤵
    PID:5472
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=740 --field-trial-handle=1912,i,3443989574940589568,6726539572642024350,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6112

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:32

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4836

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3272

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1816

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1996

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1152

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1844

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4660

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1052

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4604

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1612

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4864

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5100

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2736

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4620

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:512

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1752

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1508
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5636
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
7bfacd0aa7ced0f68e77d26e9c01c16f

SHA1
45672acb2a31bbde5647f1860d825cc539b7f28c

SHA256
b6b2db9fb031d2daadcc2d59234d4a044b8138bb9e4a2d898e6f41f75f547f98

SHA512
a7e12da2a06b29e8114ee4e262ef19048983c768afd4cef74d1e7767ab5017f91d8e69aca30d60824c84360b79f05848a990055638f74dae8bd2fbe8867136ab

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
9297cb07ee6cd28ec4a07d9cf2343c3f

SHA1
97389564bf96dc81c320ceaa8e05e84ac0354ed8

SHA256
9175127a176506f8a825a9dba6a00fe72d7df0a72c8f646770696b6e1f1c28d9

SHA512
3c0e9468b5e5d44bdbbb5a3481387e3e0187561981d93b02bf3ec3c727782597f9c442eb6ca304ec24f8f9db66f113e3c138dab7ff7f14650ebe67e47171854f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
3b7476802c1c25787ea5fcc57a28f7ac

SHA1
da2e1b90c3507fdd14adf459d6e97a6765f69305

SHA256
3b93f20acf0ea665be2ef0e501110f9d11468965f8d41b2c45be83e9c829479b

SHA512
9928d264a180797b06b536dfd8e9adde6c515076f7bf0b984afc718bc9456a703c2396caf2d312088ffbdc61b6c50db789a06b7056bde17d990e79eb39204b80

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
294a780c2787b58eb4b3be51add76eda

SHA1
693a5aa38666127c74f18e5eed84f4831815c460

SHA256
8ddef696f445f7592f5bc393f2bc7bdb7c06dcfa78b9519fe997141de8b1e3ec

SHA512
94fc3528129c2661f319eb45249353fccc79c782c21991416010dc73110a82fdc84ade8e5c57e60b578e3a029bc83e43b099a13f47f985026406e2579af8dbd6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
7b4ef9948aa087b62007066fc8261c64

SHA1
5ba0e396cd74151fec3868aa10d92101cceaec13

SHA256
3af02f3a9c7cf7f0df2343ef1609f7b8a053c6dc4baf453a7441b47f78da32ab

SHA512
d14cda266f3a42c4371280a20417cc188a5471050c9c34e618bd53fb5155f0a9a77600608e5f4227ef7f4966255f064a08a6098bd98a2c040b59fc8dceee65da

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\54d44339-bccc-45c5-8f97-0549682ce889.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
23e6ef5a90e33c22bae14f76f2684f3a

SHA1
77c72b67f257c2dde499789fd62a0dc0503f3f21

SHA256
62d7beeb501a1dcd8ce49a2f96b3346f4a7823c6f5c47dac0e6dc6e486801790

SHA512
23be0240146ba8d857fc8d37d77eb722066065877d1f698f0d3e185fcdae3daf9e1b2580a1db839c1356a45b599996d5acc83fda2af36840d3a8748684df5122

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ae1c41166a0a718cd643fb21e7f34d5e

SHA1
4f7d302556e204c468bf414d33eb6eff3e14e8bc

SHA256
0676be144535a8bd85bafd405a5e2b68b5722eb95b05e24de4b988436f624f86

SHA512
11a86529408771cee50642b8f12fdb3eca9506a217ff182ab3f3d365da96353ca413a2907d1b1a37bc0d8048ae15a0c8965a924644816d88e0b9063fe116aed9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
fa21532a0099f74c76dcd3b4582a6c39

SHA1
f973d52f0829c75230782ccf6c264f01bdc73b84

SHA256
0782038990c109a28b4cf473ec45b09ce47931d49ecbca52302081e77a6733f4

SHA512
e43379d37521dd0e7bc4eee8afba3f07313f58fb089bec808210426b949d6e90e7c276dec1b313657cf08586a6025edcbc26a583340c44fa9f560646800507e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
cc06d858d752fdd9e36e890f04d887e1

SHA1
df01bf35c4879e93302b8022ff4db85d4ed450a3

SHA256
00c7c8072aac67c16beff158fa74b96f61991c2b86eb24faa64342ed61b5443a

SHA512
dad4d97666c9f1b54ef2e6877a93c7350b36f13075be68956c271bc52854f4e1e21ee8d542319f6b62b472484a87b444e6727d9dde0f9cddfe3cdf0a46330b58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57beac.TMP

Filesize
2KB

MD5
8441fa327ce1f6c12f371a1535e655be

SHA1
7ccca62179f1eb9a2d47c3886ad8ad4bf5b15071

SHA256
975c8308bab1dce91143c9ad18effdd216bc367fccb3195ec2d4fd50177d2158

SHA512
986088d4595dc5a9e166ecc0b439a878a24d512f236b2756e377050c0cc7423143d3aaa3033ba5163b28fe8551313ff985d6df2ab109117186e878ca4a98d0a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
c59592d66cab4e3b975d045959de46a3

SHA1
b36c5abf9816f6c81faf304161153cd83c00409a

SHA256
a0b725f5a91c44ce46dfc8012d1f24e2706fd6be8ae663ea9f8393230103f354

SHA512
80a1826437b85745901060d49ee38f3201477773f6de0016e076e0fadcda6fa4376b21ac9fb97cab34819c17342eae07301b97c292301358e30f48ade63a5dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
133fcf634f0292e4876307e51a4f5ba2

SHA1
32c53eb6014776bb14d34aa66ee1490e9061fc62

SHA256
48390d63cd21c97b54f81fd3ad7cf32e419e0cfab94e81d6760b7401cfe75a16

SHA512
e95c6c61d9bdb9a215932b6046d0096f67d05e34c4b2ee39fb6d6e30366cdb5a7209978f0acaa7bd33f061d9cc445febd5ee19bae2b37205cec34f53623c9c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
3202c0f316b5f23cc0fe737afebcf2d1

SHA1
1d492c334d28f6aecd83449acb6e3642bea2d6fb

SHA256
8d539e0ff60a1f9b819754cf7bac789dc11f152530bd2a98d52851d1b2a4975e

SHA512
d45cc7b9df6062b40597626176ed8b4f9a99d0027be61b0fab42aae9f38fd0175036c0dfa0a34ae01be6051468079b4b66c609afeb37936be0ff3a473efd0c9f

Download Submit
C:\Users\Admin\AppData\Roaming\48089bf6293b476c.bin

Filesize
12KB

MD5
a70ab9ea6c80e5dc0d313ebe6b177fde

SHA1
722b1e28b9c0b5e76e4ab15971268f684ab8af81

SHA256
1dc3226745a47db1a3073f606516661ab9afe58878ab2930fd077f38ad4aa55d

SHA512
8b7fdfce2651f2e603f166dda3f15c43d8c411463434af3821579971a96259daab26eec6d823ac1266981e741026744a29e172ac6c58bee93a204ffcbe1ffb45

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
ee1578265b11de08a71ef26d7f159a88

SHA1
a8487431f0e7d23fd828dc57e2f280c778ea3079

SHA256
c5ab5522180bf5c8ea7cfa31a390be28669ad9f9a66e44026e68a4758703cb5c

SHA512
ea04960e3706d1762ecf7b55a91cc0ce72cb769e460ae8645c134a2e7dd18e4c7d6b0da5976bac0917d51d5523836c6ea1c19d17530ef091c1a53e0486bbcc4b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
8c32d94807c2cbf83ab7d223de182fe0

SHA1
7d98da18d11a72a15b7de8518f5181d00064fe19

SHA256
a92870672858007524708f74b99ac5ac42a66bfbd04099381ff771a1838b2512

SHA512
0a30c9a2bf89a90dba29552df84e19c0698b57d3caa832a61672a5a71eccd4a81a00ce5559b8303fef9cd0ab65e8a60edbef46c2420e8f6b356602b42ae2a557

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
8710cf27441f5b02c79e465149d3cc48

SHA1
2d135dadb9d576f3cc0d64ae0aac7c050e73f015

SHA256
b5c0eef8b1f43f1312c9102ce7bbba29dcec7734063342c000e6e95475aef068

SHA512
044bc88a31fd26ad9ee79011dcaaabf195f9be394dadb91279a96471a12893e093f9558a600487cf6d1881fa177d5901c112a4c1caa98019aa8094b91123bd31

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
dae75e689766e9febb23e025d7803870

SHA1
6df98e4d2dee406c35793a735a74bc3e7dd73c91

SHA256
ae9710f039ff27b692e6171597d21dfa0b67d266035c6c39fe17fb8c35ed35b8

SHA512
f4576c68375870f6d7a0a4f71ce1240c5a8d93f0244f89bd326032d693eb9cceda241f663c12289f584ed0f155ee55cec517dbc11bced540f10e4d854ec5f4ab

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
49f6b5bbbc7f6e735e416e0e829d65f1

SHA1
73d81b01e7817d1b47a1ba735389276b70bb7f94

SHA256
d5f2f10e13f444f62bf6f7d085335c2f524bbb27e6960cdaf4979d1da42389c1

SHA512
0de75bee49dc2af0aedf735d0398cf77e99800a9a3e8d6a8596900fe2a6a18219a0aea567e601fc6a2de9f1f35e899bb488d38882731dac4538206ba1e2e8777

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
01793677a431e9a63896cfb660710f05

SHA1
f50013cc683d4ebece939b11517cb71d6894b0b8

SHA256
f7b1b7848c46ad8f6cf18a1ae7824d217514a7f823f8c3b75221a4e50ec081e6

SHA512
1fa8b37790f16919436c87c20497f75001553b17d2d78a8f0f71ffb8f62b5bfd8e68eebc63255599d00bd69e193ca7c711cd0cda84b38fb7f6908a1483e5f504

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
0224f7b6221e557cdf9889d7c6e684f6

SHA1
36d5c2ff8473c987b326105f2b8eac2cfe95c116

SHA256
727949f260bb4f957291bd2146b86fb1466da9ce9420c600a44d4fc8ac9a49c3

SHA512
2a89dbf0299e5975a7359c21ee0bd9d28ad9fc6bebaf948534c96d5ad129837f465d0996a083d200e88c2827aa424b5d830f1caa3b342fa2bd0008c23b399b03

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5825656048ad36cfb503ca8f3cb01757

SHA1
6781f055f2ae965e5989cedc4487925fcd68874a

SHA256
8c99391e996531a6e4b16225521773bc65be95f44c3c2ca28d0009a6bb53cac6

SHA512
3882e5da1909d4e9fc40cef0a50a825fd7dd4d08ab98a67befc1e3056bb32040df9636ee29195a8530283015462a984b008a45aa960ab1ddb65f9bcb1b78925a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9d35412a17eb532bb75fd30b179b2dfa

SHA1
08be21ab0fc582f80741e4a8b4f1bf142d66ca4e

SHA256
5f4d97a5f97bfe8d07503146ed39c79b99545ce6e3ab78854556281ecffbfe15

SHA512
7602814a95bd8983a39fcb85a0a91cc0d8e86c44ae71b8139cd4cdf6af1d36ab6e47ae22611d17a8882c299adf5ae8a66f91f1bb0bc17556c8acd0b1fab45075

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8a41225fc834235c02040a6e721b910c

SHA1
0c1f87054e810a9ee285defb8438ee432aad832c

SHA256
cc04e08dc249bfc4c2eb7b699eb6055f32115c2095bd48e074f4fb92706fb2a6

SHA512
d306f68776517193bb3790d62e83858f021d47cdfe214ace41325d8f2b206d4f46d221b1ff65cae9aea2cf189f47384d3838fd23de7a05a25eca5d5f67120277

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
09974dae2cdfa121d503e7456c51aaef

SHA1
a10e721f5aeb9bd570ef563340aecdd6a5396a85

SHA256
87e8e06e081e8be28e0b3afa818c18a71179c4f83611780474e3e0c351f31e29

SHA512
478133e8fee53a5a4484d56d29f5ff16a93d180b57d011d839f74077979617d0aa8651282dca5d09a4ba8723310a3480c5bb7baffe826fe6a734ed97b07f5091

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e5ea415a1d0f8d72bdef7a3de4157325

SHA1
adb71f4f45398cba077934a15bb0ada33d2a18dc

SHA256
90dcdc32910ae3dc8a794498aecda8574482b09d52cdb12d72b2b171725bf9e4

SHA512
8ed2dc7fdfb49fc71c6baa7887c701c9765160db00f5370d0cfb5a8f121aa662b530b036b7d93059c664709655ec1eb3df9f655d5552fe3af32685a17a56a1c2

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
6bd8952e58c61da8bc7f4e418875b610

SHA1
0b918a22eeffcecdcc7aaa155b3341cd4e170a54

SHA256
e78b5202b43f605afe2a1f900a36e3ddc901283afa7390804d33d0190084e24c

SHA512
b9ccf5dfe56300e574df615e885821537c5467e08fe7220881427085a80cc6f38396f2fe335d2cc6d7a3e9d21e5aeab0bc1a5df1d00126846e9f4f3f478aab4a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
bce11108c19335405b03217fd240074f

SHA1
156f5026af182b3a104aa51d99d8b777260b012d

SHA256
97bd8680283afe082d22e0ea79550b2e9e91ddfbaf8e2a9ccea7e46e761c6d5b

SHA512
44c841c2ba9be550cf575c8fd1841e423f746f15eaf521b05535d90cc0359f0a2fd655f8492667f1fa8ffb7b29564bf17385df6c9df6b97c0432a81e99b83354

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
183fe6c3935582bcea863f7bc8249c2b

SHA1
468770b1d69f54cf8ede73e2347d845658e79e56

SHA256
6efa9bc31dcdeca56a63281f5290acc0f1f61a76d3bbc1eeff1765ee67dc1350

SHA512
13d90bdb2744f1ae7717c9f5ddf24f004f76e6a0b97f35bc8f8e4b6216e9d835f84edd3a63165a5fba54b116c712a63382bbebd58e6b82011ba379caaed54045

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4f4b73bf58a27244377498b6f5fe8887

SHA1
4c113a80700cefea07c5c64f83ca437726cde6f7

SHA256
d5fcbb4dfb903063963cbbb1b31d8e38a4447be62aa310d0042e6463908fbdcc

SHA512
b5f715ae2d47939b35a866130d8745d71fbddbc30f4713d6aac71251215babd3411fe77f4b08fefc16f89675321abb4a58bc154222636914d852aa0848cd9102

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
de321618f391b7f70cf9ff49af89aeac

SHA1
7f56b089ed3a83d46760138ed15997c29b7f5e05

SHA256
c6e524f5b3017972cbc0d67f6fbcc8c7211af60ad17cf5fe9a16843e191e5b80

SHA512
e9cfcd4a00e37511481d685dd4f0de0c910db60316428263ac4d1d4b85999937921f7e07edf3589fd5591b916104b919dcc35c4acf249c179ac77e94cac6121a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
db586cfc83bf3e7fe03ddb3ed6dbf821

SHA1
585fd4be144f284b7567420b0e0b4a6e976c5a70

SHA256
34e056012cefddb036b123fa2da6ce1f3e4aa21d261fd26e809a048b20f70f40

SHA512
d734375460862f67e3028192b1b5abbcd35b244d185785ae670e2ff0adb8f45e6642add91f47f7424e2d1c6f64e87df4c133548330664008a2ba8ce40db154e0

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
440112092893b01f78caecd30d754c2c

SHA1
f91512acaa9b371b541b1d6cd789dff5f6501dd3

SHA256
fdf37f8111f0fabb5be766202a1a0b5a294818c4c448af0fec9003242123e3e6

SHA512
194c7b90414a57eb8f5ba0fc504e585ab26b2830ed0aae29cf126d5a6c4888d508c22984aeedec651c8644fb1f874fa558b2090488516b33165fe7985d2815ea

Download Submit
memory/32-33-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/32-52-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/32-39-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/512-322-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/632-230-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/868-43-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/868-53-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/868-49-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/960-324-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1016-0-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/1016-6-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/1016-24-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/1016-25-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1016-10-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1052-211-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1152-207-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1508-327-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1508-683-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1612-213-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1612-594-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1724-17-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/1724-12-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/1724-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1724-551-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1752-682-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1752-326-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1816-78-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1816-679-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1816-84-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1816-205-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1844-208-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1996-88-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1996-100-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3272-422-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3272-206-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3272-65-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/3272-71-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/3592-323-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4528-684-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4528-535-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4568-216-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4604-212-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4620-681-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4620-217-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4660-209-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4824-74-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4824-76-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4824-61-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4824-55-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4864-214-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5100-215-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5100-680-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5232-576-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5232-549-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5240-685-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5240-553-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6088-524-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6088-587-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download