d5be2d5aa4e7b64c8d56675b8c4a0d3d03593c968942bca4c0ba9767ad5086c5

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 16:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
Size

4.6MB
MD5

eaf9a03fc95bd5eaf9880a04a43d38dc
SHA1

45656bc36918cc00d6fbad880045a3e01415d7b4
SHA256

d5be2d5aa4e7b64c8d56675b8c4a0d3d03593c968942bca4c0ba9767ad5086c5
SHA512

6ffd1c8a22de7c69dc556e1593981c8496f8e2a0b537ce974996988024c8e0f15f9b67001397dd66c0e566b1ac99ea9cc8447db6faf941ce9670dc2df36877d7
SSDEEP

49152:undPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGt:02D8siFIIm3Gob5iEszS

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
1952	alg.exe
3824	DiagnosticsHub.StandardCollector.Service.exe
4496	fxssvc.exe
452	elevation_service.exe
4168	elevation_service.exe
4028	maintenanceservice.exe
1636	msdtc.exe
2408	OSE.EXE
1408	PerceptionSimulationService.exe
4388	perfhost.exe
404	locator.exe
704	SensorDataService.exe
3248	snmptrap.exe
400	spectrum.exe
2952	ssh-agent.exe
396	TieringEngineService.exe
4800	AgentService.exe
3664	vds.exe
4800	vssvc.exe
5184	wbengine.exe
5348	WmiApSrv.exe
5528	SearchIndexer.exe
3060	chrmstp.exe
5624	chrmstp.exe
5728	chrmstp.exe
5868	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1b4a4c094bebce60.bin	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F22A0C79-EAB8-458E-BB67-27753F7CC7F9}\chrome_installer.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaw.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d0fa11d81cc7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd4f85d71cc7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cdc0f7d71cc7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004e2a62e11cc7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0350dd81cc7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1676	chrome.exe
1676	chrome.exe
3560	chrome.exe
3560	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2060	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
Token: SeTakeOwnershipPrivilege	2488	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
Token: SeAuditPrivilege	4496	fxssvc.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeRestorePrivilege	396	TieringEngineService.exe
Token: SeManageVolumePrivilege	396	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4800	AgentService.exe
Token: SeBackupPrivilege	4800	vssvc.exe
Token: SeRestorePrivilege	4800	vssvc.exe
Token: SeAuditPrivilege	4800	vssvc.exe
Token: SeBackupPrivilege	5184	wbengine.exe
Token: SeRestorePrivilege	5184	wbengine.exe
Token: SeSecurityPrivilege	5184	wbengine.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: 33	5528	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5528	SearchIndexer.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
5728	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2488	2060	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe	82
PID 2060 wrote to memory of 2488	2060	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe	82
PID 2060 wrote to memory of 1676	2060	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe	84
PID 2060 wrote to memory of 1676	2060	2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe	84
PID 1676 wrote to memory of 3652	1676	chrome.exe	85
PID 1676 wrote to memory of 3652	1676	chrome.exe	85
PID 1676 wrote to memory of 4284	1676	chrome.exe	94
PID 1676 wrote to memory of 4284	1676	chrome.exe	94
PID 1676 wrote to memory of 4284	1676	chrome.exe	94
PID 1676 wrote to memory of 4284	1676	chrome.exe	94
PID 1676 wrote to memory of 4284	1676	chrome.exe	94
PID 1676 wrote to memory of 4284	1676	chrome.exe	94
PID 1676 wrote to memory of 4284	1676	chrome.exe	94
PID 1676 wrote to memory of 4284	1676	chrome.exe	94
PID 1676 wrote to memory of 4284	1676	chrome.exe	94
PID 1676 wrote to memory of 4284	1676	chrome.exe	94
PID 1676 wrote to memory of 4284	1676	chrome.exe	94
PID 1676 wrote to memory of 4284	1676	chrome.exe	94
PID 1676 wrote to memory of 4284	1676	chrome.exe	94
PID 1676 wrote to memory of 4284	1676	chrome.exe	94
PID 1676 wrote to memory of 4284	1676	chrome.exe	94
PID 1676 wrote to memory of 4284	1676	chrome.exe	94
PID 1676 wrote to memory of 4284	1676	chrome.exe	94
PID 1676 wrote to memory of 4284	1676	chrome.exe	94
PID 1676 wrote to memory of 4284	1676	chrome.exe	94
PID 1676 wrote to memory of 4284	1676	chrome.exe	94
PID 1676 wrote to memory of 4284	1676	chrome.exe	94
PID 1676 wrote to memory of 4284	1676	chrome.exe	94
PID 1676 wrote to memory of 4284	1676	chrome.exe	94
PID 1676 wrote to memory of 4284	1676	chrome.exe	94
PID 1676 wrote to memory of 4284	1676	chrome.exe	94
PID 1676 wrote to memory of 4284	1676	chrome.exe	94
PID 1676 wrote to memory of 4284	1676	chrome.exe	94
PID 1676 wrote to memory of 4284	1676	chrome.exe	94
PID 1676 wrote to memory of 4284	1676	chrome.exe	94
PID 1676 wrote to memory of 4284	1676	chrome.exe	94
PID 1676 wrote to memory of 4284	1676	chrome.exe	94
PID 1676 wrote to memory of 2256	1676	chrome.exe	95
PID 1676 wrote to memory of 2256	1676	chrome.exe	95
PID 1676 wrote to memory of 1644	1676	chrome.exe	96
PID 1676 wrote to memory of 1644	1676	chrome.exe	96
PID 1676 wrote to memory of 1644	1676	chrome.exe	96
PID 1676 wrote to memory of 1644	1676	chrome.exe	96
PID 1676 wrote to memory of 1644	1676	chrome.exe	96
PID 1676 wrote to memory of 1644	1676	chrome.exe	96
PID 1676 wrote to memory of 1644	1676	chrome.exe	96
PID 1676 wrote to memory of 1644	1676	chrome.exe	96
PID 1676 wrote to memory of 1644	1676	chrome.exe	96
PID 1676 wrote to memory of 1644	1676	chrome.exe	96
PID 1676 wrote to memory of 1644	1676	chrome.exe	96
PID 1676 wrote to memory of 1644	1676	chrome.exe	96
PID 1676 wrote to memory of 1644	1676	chrome.exe	96
PID 1676 wrote to memory of 1644	1676	chrome.exe	96
PID 1676 wrote to memory of 1644	1676	chrome.exe	96
PID 1676 wrote to memory of 1644	1676	chrome.exe	96
PID 1676 wrote to memory of 1644	1676	chrome.exe	96
PID 1676 wrote to memory of 1644	1676	chrome.exe	96
PID 1676 wrote to memory of 1644	1676	chrome.exe	96
PID 1676 wrote to memory of 1644	1676	chrome.exe	96
PID 1676 wrote to memory of 1644	1676	chrome.exe	96
PID 1676 wrote to memory of 1644	1676	chrome.exe	96
PID 1676 wrote to memory of 1644	1676	chrome.exe	96
PID 1676 wrote to memory of 1644	1676	chrome.exe	96
PID 1676 wrote to memory of 1644	1676	chrome.exe	96

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-25_eaf9a03fc95bd5eaf9880a04a43d38dc_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff81a32ab58,0x7ff81a32ab68,0x7ff81a32ab78
    3⤵
    PID:3652
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=1884,i,10106017551700186226,14809015398676740727,131072 /prefetch:2
    3⤵
    PID:4284
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 --field-trial-handle=1884,i,10106017551700186226,14809015398676740727,131072 /prefetch:8
    3⤵
    PID:2256
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2076 --field-trial-handle=1884,i,10106017551700186226,14809015398676740727,131072 /prefetch:8
    3⤵
    PID:1644
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1884,i,10106017551700186226,14809015398676740727,131072 /prefetch:1
    3⤵
    PID:1616
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3048 --field-trial-handle=1884,i,10106017551700186226,14809015398676740727,131072 /prefetch:1
    3⤵
    PID:4444
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3652 --field-trial-handle=1884,i,10106017551700186226,14809015398676740727,131072 /prefetch:1
    3⤵
    PID:3388
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4508 --field-trial-handle=1884,i,10106017551700186226,14809015398676740727,131072 /prefetch:8
    3⤵
    PID:3208
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3936 --field-trial-handle=1884,i,10106017551700186226,14809015398676740727,131072 /prefetch:8
    3⤵
    PID:3092
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4508 --field-trial-handle=1884,i,10106017551700186226,14809015398676740727,131072 /prefetch:8
    3⤵
    PID:5220
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4648 --field-trial-handle=1884,i,10106017551700186226,14809015398676740727,131072 /prefetch:8
    3⤵
    PID:5888
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:3060
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5624
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5728
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5868
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 --field-trial-handle=1884,i,10106017551700186226,14809015398676740727,131072 /prefetch:8
    3⤵
    PID:6116
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=992 --field-trial-handle=1884,i,10106017551700186226,14809015398676740727,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3560

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1952

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3824

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4228

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:452

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4168

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4028

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1636

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2408

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1408

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4388

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:404

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:704

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3248

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:400

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4488

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3664

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5184

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5348

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5528
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1968
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2080

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
5c322101f22bcca7c3186d2f060c6369

SHA1
aaf259dffb149a27e0d28c6c862e1c29bd225526

SHA256
2ccf9a8fc4eeb62003c466eccb3fe49963ebd39c0ef15e97f6339c8093b5e139

SHA512
a9a48808b60bd93ee1e6d6ad92699c5deffddcf18cfd99fa76421d233f76e180e079b7a5a732a07c3e3e186c65a4584a983b4c5574f8c2bc5ebcabb9aee978f2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
73dbf1238e2a741442190ec7d002754a

SHA1
f322a392fe9b056744c78608bc936cd8a141752c

SHA256
4f2f15c8a653adb55f91a7851c08deab0c36636ef5c090dbf99b390f751a5e3e

SHA512
6d90137343fd17eee45c936d3f97f611d119c8a14c3cbc8838d9e0e792a5ab59fe80e12aed4bf1b7a8bb240d0a2efce46e78d181a3ea84fb4cc4ed63d54251f1

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
ee88d5d845280c74ade9b266b94a7a44

SHA1
5820f5c32c562e6224526cccd7dd4095ebc0b8a3

SHA256
e790f4e25eebedf066d61c0d9cce2741a8ad37d52e3aaff0828405bac23d4c77

SHA512
1c517b6727c3d1499466d014cd4e9b46ec374c63715a6edfbc18253f628ac6d96d5b9a79e52d412a464a469e9cd0a153dde5ff0b82c3e7b1d308c52940c3373f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
32971002e5e398585e8b34d762347276

SHA1
5a80da167d1a8fc1b0d66e4e7b2d8145fd2cb5ab

SHA256
eeb9702e7610475e3ec4d9fd0609359b72549034270ac5b419390d47e225e169

SHA512
71b9e1468e0d89d5b764209616b9375589f3eb5327bb148d97bb177e5288dfb5b542090b49d42b3c878b13b606c1260e88356ca9b52a4cc9ede738255dd2d76c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
49f9b0eecc722a4182e68f99529c0a56

SHA1
8d2b0589a6d0c3525653ab4e0de37c2b5b88a5d2

SHA256
721d1fbb67037e33f2ec07a7d1971b52678d9e6b37e6def57ed402a85e96489e

SHA512
434c163a09c7e9d2cbde4f174496337e14e88f9c5a8ff2d01371892caa14f62e04026db385f7657b475a8728bb6d4d1b24960e3971a9e9932fbb671e0b4df5aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
12b83e989851738f4289adcc37d5023b

SHA1
dae4ffd3ea26a44812a491b93fa1cc360c63ff12

SHA256
0671e614cf8e13a6f5c0785637d353773dbbf4c3e127fb463ce099c79c8f5950

SHA512
c4f3930765c45d90abc5c2a5f5be42e6d4cb98f533a8c72f8fd9c4ce73156850f1482f103584dbda8aa911568dcac35f8322cd27083ac3ad78132e6af8857f46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
7db04723215ff94329832751e93d5acf

SHA1
07373459e6dfe1d2d9df3dd984fcc71e4dc75a7d

SHA256
0249c23e1ecda99a62fb6cb5ab590e32ff1eb14474123ba82a2740073e854425

SHA512
531c40cb205872448190b9181f1a9f1fee020c97f36517a2ab7649190b8cf89aeb55655874aca57243178ed16c3765ea52961122428edb2b311f9d3ac4bf6621

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
4af46e8b91a60c8a50227d6b55a0ba3b

SHA1
9f62e781f9f44e5c61911b555b355b064df57ab3

SHA256
068a7b1d59ac5c0778122aa7a263a9b1e0dd63053739a9becb4b54dd70a51817

SHA512
063740ef1ac8dc2826f439531578a9e574e4ee44220dbf2ec52bda0a1fde5a1cc04492e3b0503f716f1181a025e78831c7c58c9ccf8f0f8ed38a2b3696abff81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
abea9b1dffaf911610941619cebb78b7

SHA1
858e8ee0d6f23179991879568cf226eb0f2a04ad

SHA256
773843007afe45e5a2984907170e1ae69b5a784ea65fc0500917389ec09cf1a0

SHA512
829171f8b1d2aca9fbdd6c968cb109645c822f8b447b488a95dfc2529c47c84c2e5bf66e40c068343142ee1c1e861f23d710bbcce5e6b407a073ab5a5bb77ab4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57665b.TMP

Filesize
2KB

MD5
4d9f9409a83eaedf129ae19f52020b6a

SHA1
cc3fa0ec8a8902487b43752522320e749cfd13f6

SHA256
d062f973e1d03a91206bd6317cf2ec9c69ea064d0fe95041f06975bf9e3d1a93

SHA512
8f93adc4e1399a5802dfc89ac8140ce5eeb8809699c0c5b58e772e7bef88505569f026535d3570e9168a774a825d7ed85f2639b069598c16b23af329ad13752b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
7c04d1996af09344a09c67bc3e6787a9

SHA1
77118531cb8ddaf9f60d9decc15924a4673c613f

SHA256
a905cf0aaa124cadf6f2573f4c6f86e5217c3436b859b7e89b2cdb50852cb4c7

SHA512
db605992cae8082a741aaf56dc63f0557aa0da28dd1265947ff898f9395cf526932c2473591ce24e43befe9e5188bfd7a213781d2cbf990493fb2ace2fd6da85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
281KB

MD5
d8e0a8d9a05b9106aff5ed7fbf54c017

SHA1
e43e376cbd744e6a8cb9ebcaf88a5ce00dbfe146

SHA256
4e56d1dbfe06f44de22452981852c850fd5e4c8c80ace20e9b2395e3971f8c16

SHA512
d8e44116f794a95fb68d8d89d52ec233149c25fb3dbb1c9d5e2139362801ca490b883c22bface51d328f8e0e4e24969b66da1dd00a9ba3f785d7c116a9577c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
df6ec10d6973d58a176e6ea0c7216c01

SHA1
ca0d2ede526982e3a479afad278b66fa0663c717

SHA256
95b7802b987de1ecf28698aa8f84e17ee0a67b874b544038edba6435286cbfa0

SHA512
18eb626aada4712aee3061f6957e554497ff6f3a927a610f2e87102914625be116794ef13b593adbfbe8f650ce0f851abeec4db7a66944e911d2eb712d92e9b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
9KB

MD5
2e2ee7dabfe1c4b8de8af3e9b417392a

SHA1
e73f59fa7fb0e1b2ad4b12e3be64f94a6fc31276

SHA256
2cb4dae5f2f4e98a3ec51c2e34f60d4558fc96cd89f4f9fc82d9acf3deeac2c1

SHA512
944d351d1295ed4d1a60fd6198b3c27960d728de3f41d009b6b1b9b7e608bdbdc3e33efb9d3171d9c54e6424e7a0bd65fe2c929d2e290a7d885909602e3912ef

Download Submit
C:\Users\Admin\AppData\Roaming\1b4a4c094bebce60.bin

Filesize
12KB

MD5
62596d732bca7674736e222dc56e8954

SHA1
a575e927b9a9f255537caa800c75864ca8d8ce64

SHA256
99e0999e074c2fc157f4166d9b87b086bb40b0a42e338fc14751b8e8d88bf7b0

SHA512
0f00d2310ea7b710123cdb5c6fb46609123c5f82072423d5e8d97117109c2dbc908c4ded1ddfc3cd20c120d4b16248ec67f886c24ab3df5a328ec80bc0a50769

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
a6f24b0328468caea923bba2714070ff

SHA1
0421d7b8e719368c075a099f43bb0d18ad8b0c11

SHA256
95a7e75dcb3c0a4fff87e7e6661bb1f6e2220cd09ee55ba0dd5e221dbd98c12d

SHA512
9a81ae2abe1d97e5541e09e587f0f42bbbde66cde92b310148ec49498c11c6fa06e06e0a4a9fd0014691e1dc5fd58184c3aacdf172f62f1508852a87efb55371

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a98ce18b992cf0ebb69cbe3fd098b980

SHA1
85a7d6b9a6903cb658bb1c069c5ba267444e91a8

SHA256
b7e9c362e3a8846f5691c8ed34a4adf73a9bc9d629c28b5ef35f8c2d1275a6f7

SHA512
d45ab2d694d9365a2095fe2612d55b822c41670f307ceb8935388d2b46debfa20f5c200823095c808f850e9ddc95b4675be05f1916a75730d6a56bdb883cbf40

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
0db4fce1e6db6bdb293d054063c4eb9e

SHA1
40a001e8b1f097a565382f0eba70f6b0351465d3

SHA256
b6671b4686089bda6e985ce9f190f2717cb003e57eaa455a491b730605efca94

SHA512
274514e1b0edc06982c6878ada110f2de92e6afa9ec3ba2227f8a530cff7209945f9c582125d2cf99ed10283a7544004efd8688c5f1510a01c83894e38ee862b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d5b6f3f99bb574a4d21c7ac7db8000ee

SHA1
9626353e57b1a4bfdc2e3158f72dd9b1c39a7bb9

SHA256
a81a6a198032ebb4db4312cf0a52b0ee9c169529a08e3c7767dfda5df30be68b

SHA512
90df3d7f1fa326a57d1f692540ffb58fba52974b128de8ed822c4a8977c349a2599fe28953fd4ec8547bbfb88d0f9b98cbdeb0faf2069f9987c7f2b684fccdd2

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
3687641b5ec9a94619a7887bbdfb64b2

SHA1
c1c2605af620b64fb7aca0ca4bcdc097ee28997c

SHA256
6439f94d89096b7312a07bad1428afd2a65778d63fd29f8f431366a47afeddf2

SHA512
77bcfbdfc91f20d6390803d3247958fb7c935850e6d9e1d52c8ea7ab4ffd269d8c4aeab8532aa79a89d326cfc89c21187245e06327e2b8e08b0390dc28541174

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
1ce9305771bf3500c645c2418ec54fea

SHA1
d4ca45191cffeac035396cf8e3b125d9518546bf

SHA256
3a959f892580e196b91c262b01eaa9326c34985fbc54384f786db61f67225d84

SHA512
e8fa68ebd01254aac7506327ca5201abdd788114862a9db1ebdceea1625dc31304d23ddeb39165e500951ef5d821fea6fbbb397c1ccb63f47ae5f94b6f9dc7ed

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
aa6cc1d5cea0f189de01aeb35a56fb64

SHA1
9e6318708d72c1e6d02c4de2efffafd491d7a665

SHA256
dabb012138d4ceeff2a0bed90ee2cb863cf56ec18bd8512d733168eec4fdf975

SHA512
18f68d629485e73a23fbf4822a83e5105b43ad70dc2cacecb888d95eda3dbd049460ba9729903fbf9c0dcd5802891adbe3bef0bbc7660674b873c60c5e3df1b7

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c299b907963f1077286725c9fa2668ee

SHA1
43dcba35c9ace7f55a12bbf33d44225704d50595

SHA256
9501fcb24ce81cfa93262dab2f15996a2bf379ac5a67ec1d5af5ba1134b0f7e1

SHA512
cfc5c7dbf22168bebcf76ab3f6f077999786cc9d798ad7b0a99ffb246e7ebd75740c45c75cc846a81b1f23233ef389ae86dfe06779e7e113d60da61d57eb4b43

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
eaba9193f4ee736de35c9e6e496dc3d0

SHA1
8dd7e41bec1f01400d3ea4fb07c5abc29d389106

SHA256
59f75dcebed0655d92b9012f0c627531af84aeb777860bcd3f030a7ef820f8dd

SHA512
0bd781870b6fc338e6744018b17b096aac259d38bf3eedfe749296d25d30d565e29da0eed90639ce2ae271cd24039a5f19af3afb5b120d2a29850fa5503b89b2

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5471bd81afff5393c3760cddbe676622

SHA1
881fbff816554b2c6e6ad387b32403e3cb77fcbb

SHA256
89871d4118c41a528f0ee086802a7b8a01e9ab3fe475c67bbb56f9fcc407e9df

SHA512
d5022949b8f0f86e0adf8e3077db94a4566811f67643d961259bd7dcfc11a57eec59c330bd696b7d8f89d90f1350de3c062802997c5b17adb4ab0a82a7210165

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
d5b9628b490323603fbbfc9274a8906a

SHA1
1eef951388aaee1220e33c994b26cff1a992b39b

SHA256
5375e876fac68962fbe253005bc2ba190c35089c6d1f09c5eee99207e7faaf4a

SHA512
88c181a4e29821aef40a1f78998f486fee0ea43eeaf00da28f4dbd918fea461b79c4fd89fc5b3e0f12b3f9206c1d01027a3f41e51d7d3c91088b7c74ca313592

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
272eb94d1297321421097b0854afbecb

SHA1
5eb51e022d58763dc8ff6c3e68e973cb59d7f0f3

SHA256
06ad19b2cbf97d2fc1dbeb1a5d8416ac90619feba51cb0785ea742f7435a067f

SHA512
d74b5bb287515e882d2d0587516e7ed3cb528fcc81510216ea152597142e504f82bf9ef7ecd3832ee37b38a2cb4edb1b46cb4a921f3b7ef742183a9ee1b501c5

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
17314fcf906fe4caac54e742e942448e

SHA1
4e6b148193f4e4a846f12ad13359d643b8dce5d4

SHA256
5b60ea6a9ddfbd7006b3f2b63da6379fb442e0e9d5127ccf2f8773a79cc8d1dd

SHA512
a6b151ad235fbd985711d73235157202f5718e0f623093df1119239ded4d75f9d5c71c454ac605e02e1e958752ce1b629db45e9da474a136fab5470c0281bb57

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
590031abc615a740a470b98a51837c2c

SHA1
dfb20924cdfef98f1ae52b28b13caf8f9a95546e

SHA256
fccb37189e05824015a41fed397bdfccf051122ed601560a614e039b9b85cd23

SHA512
a32ede0a6eebf129e6317f1304cdd38591c7b4003107c5b843e2e1273499028d2ff712dec5cd7967a9721b617be51867fbe3d7e394a9eaf6363f0438b3ea576c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
8af640a88d82e2246fdc91a3d4801ad6

SHA1
40da21c03bc07594bd82f680773539f18b3ef428

SHA256
dc9cd64e765f88c037d7607ad2b0f744a30c75c5d12c7037fa24647759cff2a6

SHA512
367d8f95b45fc3f5a812e15fe06eda53f64541a57fa10bb0a8b70991deb618fd2a66fed3d328fd19abdeab6c3e84e4683a727622069ae43b8d109004c5a0695e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ba8ab2266016bff5301f9836c8c480f9

SHA1
6ed24cce3020f70b6b817c4a114d2597641102dd

SHA256
ca93c529ec4a3b3d83b42df5d8bffb6bdca213fb47a6e067fb53a66babcc081f

SHA512
33942b69918a696792534e2dfa2038d4c60fd806dd1b071ac2e5ea906885c358ee0ef788aa36979e7d14a71183f48a29d05918f0a13c0a1e1e64a0261c61b0e8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
833bfcdc96a249507339b42f736336d0

SHA1
6fcf1b3763530685f87d338ee21ef72f53757e00

SHA256
40f65d00186fe20e520bc45eace8cd36ef8c3f6ed8474ea3eb99124cc5afa498

SHA512
c269346b3163357a555f1049262bb796040e960a0c531d960cffccf6b7e81736c15a88f1d100d48fe184988c49ea0beac9597cfe05809173ae007b20fc978b9f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f5a1f26dbfe3f8e466409983dd7161da

SHA1
d7786a985ffa304401456c18e4bda22a0ba7816a

SHA256
83d190390df0dc5b96da6cdc4a1c8fcf688ab9d2ce0cb55ee03c28565f5dac5f

SHA512
845d6dde709f6cf587e5a7a39262222fc431fd90550fd7046e787cfbe404ea69630ab359c7c0a2ef3f17f3420455fe24a6140ac734077c357a6e5160d0764eca

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
a6e7bf45c9610ce4fa61473085cfc37c

SHA1
647f7ac0c2f74ac7f2b14f15bfcd9e68b5a8bf1f

SHA256
46a3b3028edf02346302b1ee0be06b5333d8953503cbee641687b7fe49cb419d

SHA512
4bac9b3051935e233ab60baed6facba9a40ce6fa9d00309b9f06f234ab119fb2be4af0b8fa26d24f8f884e7ef018651a3f05aaeda88ab125cddbc980f15eaf5d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f80b39700bbdc5ae7f29f04656a7cb31

SHA1
7f99293eddbe8c57415fd6f066ea428c47229088

SHA256
aee24fcd85b73b2d574e19cefd72a8bb8066a5912a9e69bf56d9b59e22cc3f63

SHA512
f106d4b51e468ac6cf80f7371aa05fee1bf6dd4dc2d90bbec9dd0bb2407abf459ba9ed1632bde4a07034e5c21d1f85a15e43d105c0d424184dc0b87a537e0544

Download Submit
memory/396-257-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/396-525-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/400-217-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/400-479-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/404-181-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/452-65-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/452-73-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/452-160-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/452-71-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/704-334-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/704-193-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/704-621-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1408-153-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1408-287-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1636-268-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1636-107-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1952-26-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/1952-20-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/1952-179-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1952-29-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2060-6-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/2060-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/2060-0-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/2060-39-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/2408-142-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2408-283-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2488-18-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/2488-28-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/2488-12-0x0000000001FC0000-0x0000000002020000-memory.dmp

Filesize
384KB

Download
memory/2488-178-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/2952-230-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2952-500-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3060-594-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3060-465-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3248-463-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3248-197-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3664-629-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3664-285-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3824-52-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3824-43-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3824-49-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4028-91-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4028-92-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/4028-105-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4168-223-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4168-79-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4168-87-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4168-85-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4388-167-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4388-305-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4496-63-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4496-60-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/4496-54-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/4496-76-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4496-74-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/4800-683-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4800-294-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4800-273-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4800-269-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5184-306-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5184-688-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5348-312-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/5348-689-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/5528-690-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5528-335-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5624-491-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5624-691-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5728-572-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5728-516-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5868-530-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5868-740-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download