d2fa7ff03a86213ad377cf9f368cdbc776a2be010c0294aa334d1b9fb19ed6e7

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
Size

5.5MB
MD5

7d4e87c1897b9a4ccac29eb444c7e7b0
SHA1

3962465af7fce627e3f8ed1304a04388932697b9
SHA256

d2fa7ff03a86213ad377cf9f368cdbc776a2be010c0294aa334d1b9fb19ed6e7
SHA512

fd3fc4e686fe2fc879dc0789db16454808c4b1898779f0534579cfadc2ae74705c7f75e06cd97b4e2574a065abf19266b8f4c9e351bc14c148af1c96cdb97692
SSDEEP

49152:OEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfO:UAI5pAdVJn9tbnR1VgBVmKpAhQ1CNvi

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
3012	alg.exe
4812	DiagnosticsHub.StandardCollector.Service.exe
4744	fxssvc.exe
2812	elevation_service.exe
3984	elevation_service.exe
3768	maintenanceservice.exe
212	msdtc.exe
3668	OSE.EXE
3728	PerceptionSimulationService.exe
4060	perfhost.exe
4188	locator.exe
1576	SensorDataService.exe
116	snmptrap.exe
700	spectrum.exe
1916	ssh-agent.exe
2020	TieringEngineService.exe
4648	AgentService.exe
1016	vds.exe
1700	vssvc.exe
1660	wbengine.exe
3536	WmiApSrv.exe
5048	SearchIndexer.exe
5204	chrmstp.exe
5312	chrmstp.exe
5104	chrmstp.exe
5596	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\71a3e046b3b9834c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009bec2b6748c9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000084d9376748c9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001dc3626748c9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed9d3c6748c9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ce6c66748c9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000056d7566748c9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3140	chrome.exe
3140	chrome.exe
4820	chrome.exe
4820	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1784	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
Token: SeTakeOwnershipPrivilege	2016	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
Token: SeAuditPrivilege	4744	fxssvc.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeRestorePrivilege	2020	TieringEngineService.exe
Token: SeManageVolumePrivilege	2020	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4648	AgentService.exe
Token: SeBackupPrivilege	1700	vssvc.exe
Token: SeRestorePrivilege	1700	vssvc.exe
Token: SeAuditPrivilege	1700	vssvc.exe
Token: SeBackupPrivilege	1660	wbengine.exe
Token: SeRestorePrivilege	1660	wbengine.exe
Token: SeSecurityPrivilege	1660	wbengine.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: 33	5048	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe
Token: SeShutdownPrivilege	3140	chrome.exe
Token: SeCreatePagefilePrivilege	3140	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3140	chrome.exe
3140	chrome.exe
3140	chrome.exe
5104	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 2016	1784	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe	84
PID 1784 wrote to memory of 2016	1784	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe	84
PID 1784 wrote to memory of 3140	1784	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe	85
PID 1784 wrote to memory of 3140	1784	2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe	85
PID 3140 wrote to memory of 4652	3140	chrome.exe	86
PID 3140 wrote to memory of 4652	3140	chrome.exe	86
PID 3140 wrote to memory of 1048	3140	chrome.exe	95
PID 3140 wrote to memory of 1048	3140	chrome.exe	95
PID 3140 wrote to memory of 1048	3140	chrome.exe	95
PID 3140 wrote to memory of 1048	3140	chrome.exe	95
PID 3140 wrote to memory of 1048	3140	chrome.exe	95
PID 3140 wrote to memory of 1048	3140	chrome.exe	95
PID 3140 wrote to memory of 1048	3140	chrome.exe	95
PID 3140 wrote to memory of 1048	3140	chrome.exe	95
PID 3140 wrote to memory of 1048	3140	chrome.exe	95
PID 3140 wrote to memory of 1048	3140	chrome.exe	95
PID 3140 wrote to memory of 1048	3140	chrome.exe	95
PID 3140 wrote to memory of 1048	3140	chrome.exe	95
PID 3140 wrote to memory of 1048	3140	chrome.exe	95
PID 3140 wrote to memory of 1048	3140	chrome.exe	95
PID 3140 wrote to memory of 1048	3140	chrome.exe	95
PID 3140 wrote to memory of 1048	3140	chrome.exe	95
PID 3140 wrote to memory of 1048	3140	chrome.exe	95
PID 3140 wrote to memory of 1048	3140	chrome.exe	95
PID 3140 wrote to memory of 1048	3140	chrome.exe	95
PID 3140 wrote to memory of 1048	3140	chrome.exe	95
PID 3140 wrote to memory of 1048	3140	chrome.exe	95
PID 3140 wrote to memory of 1048	3140	chrome.exe	95
PID 3140 wrote to memory of 1048	3140	chrome.exe	95
PID 3140 wrote to memory of 1048	3140	chrome.exe	95
PID 3140 wrote to memory of 1048	3140	chrome.exe	95
PID 3140 wrote to memory of 1048	3140	chrome.exe	95
PID 3140 wrote to memory of 1048	3140	chrome.exe	95
PID 3140 wrote to memory of 1048	3140	chrome.exe	95
PID 3140 wrote to memory of 1048	3140	chrome.exe	95
PID 3140 wrote to memory of 1048	3140	chrome.exe	95
PID 3140 wrote to memory of 1048	3140	chrome.exe	95
PID 3140 wrote to memory of 1552	3140	chrome.exe	97
PID 3140 wrote to memory of 1552	3140	chrome.exe	97
PID 3140 wrote to memory of 4212	3140	chrome.exe	98
PID 3140 wrote to memory of 4212	3140	chrome.exe	98
PID 3140 wrote to memory of 4212	3140	chrome.exe	98
PID 3140 wrote to memory of 4212	3140	chrome.exe	98
PID 3140 wrote to memory of 4212	3140	chrome.exe	98
PID 3140 wrote to memory of 4212	3140	chrome.exe	98
PID 3140 wrote to memory of 4212	3140	chrome.exe	98
PID 3140 wrote to memory of 4212	3140	chrome.exe	98
PID 3140 wrote to memory of 4212	3140	chrome.exe	98
PID 3140 wrote to memory of 4212	3140	chrome.exe	98
PID 3140 wrote to memory of 4212	3140	chrome.exe	98
PID 3140 wrote to memory of 4212	3140	chrome.exe	98
PID 3140 wrote to memory of 4212	3140	chrome.exe	98
PID 3140 wrote to memory of 4212	3140	chrome.exe	98
PID 3140 wrote to memory of 4212	3140	chrome.exe	98
PID 3140 wrote to memory of 4212	3140	chrome.exe	98
PID 3140 wrote to memory of 4212	3140	chrome.exe	98
PID 3140 wrote to memory of 4212	3140	chrome.exe	98
PID 3140 wrote to memory of 4212	3140	chrome.exe	98
PID 3140 wrote to memory of 4212	3140	chrome.exe	98
PID 3140 wrote to memory of 4212	3140	chrome.exe	98
PID 3140 wrote to memory of 4212	3140	chrome.exe	98
PID 3140 wrote to memory of 4212	3140	chrome.exe	98
PID 3140 wrote to memory of 4212	3140	chrome.exe	98
PID 3140 wrote to memory of 4212	3140	chrome.exe	98

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Users\Admin\AppData\Local\Temp\2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-28_7d4e87c1897b9a4ccac29eb444c7e7b0_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2ac,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3140
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcc8acab58,0x7ffcc8acab68,0x7ffcc8acab78
    3⤵
    PID:4652
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=280 --field-trial-handle=1916,i,9385203873531663068,10820540932091594342,131072 /prefetch:2
    3⤵
    PID:1048
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1916,i,9385203873531663068,10820540932091594342,131072 /prefetch:8
    3⤵
    PID:1552
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2244 --field-trial-handle=1916,i,9385203873531663068,10820540932091594342,131072 /prefetch:8
    3⤵
    PID:4212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1916,i,9385203873531663068,10820540932091594342,131072 /prefetch:1
    3⤵
    PID:2004
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1916,i,9385203873531663068,10820540932091594342,131072 /prefetch:1
    3⤵
    PID:2500
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4356 --field-trial-handle=1916,i,9385203873531663068,10820540932091594342,131072 /prefetch:1
    3⤵
    PID:3604
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4536 --field-trial-handle=1916,i,9385203873531663068,10820540932091594342,131072 /prefetch:8
    3⤵
    PID:2656
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4564 --field-trial-handle=1916,i,9385203873531663068,10820540932091594342,131072 /prefetch:8
    3⤵
    PID:3536
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4720 --field-trial-handle=1916,i,9385203873531663068,10820540932091594342,131072 /prefetch:8
    3⤵
    PID:5436
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 --field-trial-handle=1916,i,9385203873531663068,10820540932091594342,131072 /prefetch:8
    3⤵
    PID:5924
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5204
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5312
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5104
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x2a4,0x2a8,0x2ac,0x2a0,0x2b0,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5596
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4344 --field-trial-handle=1916,i,9385203873531663068,10820540932091594342,131072 /prefetch:8
    3⤵
    PID:5992
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 --field-trial-handle=1916,i,9385203873531663068,10820540932091594342,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4820

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3012

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3484

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4744

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2812

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3984

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3768

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:212

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3668

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3728

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4060

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4188

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1576

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:116

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:700

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2192

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1016

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3536

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5048
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5776
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
95bf879a2b09feb53a3952d9c0a7d4fa

SHA1
3b60750140d865f20aa2b5499b42b500917fe471

SHA256
b6016e9b45c76485585763cce1008159ff5f7a4df31cd10a27350f47fad7f726

SHA512
245c73348a2810bbbe3d6f358a9a08790b6af7a670bb24d4ea1c9b3cfd2bd0ad0f0746154996c913b07cfdfe23e28b5f4f854a2e0e72313c68d2f54dc61cf394

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
00c79f0ee9b2f903844e5f46b421ea08

SHA1
503ec9d642e6e1cada2b26088a0bcdb1552ecac0

SHA256
0c6bd1d21fe696c452d805b0bd21db9342fca20dec8344f1030d08eb2999d71d

SHA512
33cbddf8b68191a67794bff31db1d627d6fd0cb1da86619d0b620330ff28f3c2d8eb8b140ccb4454bca78e75f24e69d5827288ebeed0805bacf8c061e0fa43a4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
cb03415bed4b3b8c210debc8f59c07b5

SHA1
107e57b56b82f2a450d400efe5dda26167883221

SHA256
8fce94f54b7711f3ff2c4cd2de7b46e0e557f674e16d14407fc491983e2c96e5

SHA512
9fe296571926fc7dee9acdb60105a1dbe5a8b97c7a60186f38474220b194c9459e29ad32238ebee2eb346deab631c7d107d3c58c5cfbe288b9de0b53a953b1e0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
7ae65fac5a722d76ac2e99206cac6bf2

SHA1
626d7a03df6baccab2d6912416b51133d6c3fc9e

SHA256
e9e2e212de3de63957d08f2b12409c3d4463bcbd9ca7cf3d3a5639e1eb71cd73

SHA512
7d9005c6736226f798e9713e071b88dba59d300c013e9be28f61d9716c64ad6a6f788ac336f5200f88fb6940d5e84a978ee40c80e588ec51f3b9daf543baf36d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
23529ac91dbd0f58ae5825e26ae15b59

SHA1
0ef7216f6a36dc0ca94b82e02219e9eee2ab5cfa

SHA256
a99180a8236c2c0d2d8f36e24d857c70155861ff936e5e20849a1fd74fe6ed3b

SHA512
013c130b14bc330fbb3013805a16c1b6ca14b3e0361972e80c162b5cdc43cdb379639b55d733e788273db0c642d3cbbcb011652d213ae1b4a78342bbef537e87

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\46c6b45d-70ee-4f56-b2f0-14473e06e955.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
3ea070e60e7d429e1e61c8db38c29e6c

SHA1
5e299ee911c837db884fb5fef2f5abfe4e9e8863

SHA256
b2a5745d6bc2caf9e182d87fe017e223f6237fdd3768705f02a67a10b4cc2d66

SHA512
bd55194313210c91259cdfbe4e6cbef7eb74adf00b7bb292cf8bdeb109eab962f8253ed0277461b94fe7eacc644648318baed002cca9af07b27b00e584fb7cbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\9292ac71-13d4-49cd-876e-4ef652925d15.tmp

Filesize
5KB

MD5
8c361e14e6a2738c1c64ae5e8020bb00

SHA1
9f46b222d0d38e4e83c5d1b23bcd34645f89e35a

SHA256
c68c60bbc1870967e508431554a31aa5d4c0a3863d05d680e9feccc431677738

SHA512
cd88d5ed8bd153f2049dbda94655b2304c8dde76c344e6d48c4fe51704b8186717b486846535d9b90c98172b71277918c64ec94c8e104b64cf5ee24550d70489

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
1a02440fa24cf194249157422c7f0944

SHA1
2a74678cfedd053cf71367a2729354ed4ba29239

SHA256
da188f51a39fee57c1f30866e349eb426d29531a399677efc498276ba21dfa80

SHA512
e0070880437ee2ce4cde3adc2781b890fa1ea3965397fafa1e53570407a2b134c3935c327cbddb40ebc93f9e56fbcefad2127fe38a9c6f51fb86a41593ce241f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
bc1d10fc903bb7cd479c5f7855fd9641

SHA1
9c47398f9eaaf987db3b112d6bd44aa9d9e42934

SHA256
52280399e702e21b1c11c703f747737ec60a13fa7169ed5188f155d807d75c2f

SHA512
9fa813920b4a79546d870fb966997444fd416f3ec838275d8b36b31c067e8886b6802f050bb8b27fc06b51a103d8545a2e2146096e6485cf69856ef4435e2acf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe576f06.TMP

Filesize
2KB

MD5
d815a154d920aff927b3986ef84917db

SHA1
c1c2bd7df2e21219963cc39d302b18173713afc9

SHA256
0603be058d7ba2a08d3233e42e5575b76578513ddc7e3cb58fa53fcbc5e26028

SHA512
7f7fbc48d9be3c0a935906b277e766261ca8fc1b9eb05542d528bca09d1bd817e6bdce0fd87fe3f56e7597f09595b5b610eb103903a66c2bd79de04cb4f250c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
29909de50ebc703ce261e32d3ffa0132

SHA1
d56ef9bf57eb76b890044cd41fa749a2376ff202

SHA256
9910199625ca9e98c46e9afdfe0da1ddd09ca98f271fe6f14ca764c15edbc247

SHA512
6dede8dc8dc10337047073c088abf83e3de47df70ab2bbd70e8f057998492b892cd34b8296e898554b6d1a18eb6681d2974908bf32b1a97d708d24690f077604

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
281KB

MD5
4c2b3d766d7382d809db59deeb6d3b75

SHA1
a9eb27a1179d4929f6061810cf5f198ad8c12aa6

SHA256
6ecbf0a182a47365bee2c5429c0cbabc72fb465987082e3e8a351e9a20ce7bef

SHA512
81d823c68fa86e6b0db2d3981e6b449799f7e02b7237c05f05909ea4ea4604bf2396ece8abef7ec1983841baf381086329cd0ed3d1eec013b51d82d1af989b2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
1ffe1a389fffa671a9b07f765aab70c3

SHA1
4a23d803e79ababefc3c42c0865a8130023cc0fe

SHA256
5ba2f80859bad0c8b79a441d4e9d9958e8f401d5209080c636233888c55edd48

SHA512
fd56353e2f7e73c91001f33ccdd75a86fa11b1362ad62c63c1715370d0c9193e815fe1733e60a91dcd9f8ab889e98625d26e48455b8e19c8cf6fc6a43dcf0391

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
8992dd4bd788a0f29f08313862c1e45c

SHA1
782284c6da5353d43b7c54824aa142d89444a62e

SHA256
bea3848338f2d2b541eabe3e80a57895a9e16b336be770a90f5423ec317a8985

SHA512
e3e2b2c672d59d295fe401f4ca9911fe158e4f204ff108befa3026661dff1898b37d919875d49a7e078b27cd9b0a5e1bb48b2a1999507c2db34007a6c3715154

Download Submit
C:\Users\Admin\AppData\Roaming\71a3e046b3b9834c.bin

Filesize
12KB

MD5
4238f0229a3d67f9578a071bba2c14e2

SHA1
64a0cac457184a7d2e68290f501950133218cfb2

SHA256
2f31e0aa29cca40ff50ff3bdd50ed9715806e7cad93b6ebb3ea640d05c88a3cd

SHA512
90ef60b2de263a4d3f360202444ad514a6e522c7c453c6dbe6029a9083964f981647861dd3215212684cab08488d714c5d32deef66e26494a485a2cfc4f4b85a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
8e5449eee489ec6b1a293befa998f829

SHA1
b55f5122fe745cda61bd97fdac51c46f853ccbe4

SHA256
798fcf933d55e7eb9b6b773c498120e6cc9d842151edfb5a20d4761a6df711cd

SHA512
b6a34473fbba0cfb64edaa9052794fe1d8d4746e75075cbb8ce76593ba16ca44bcc36e1398df60c99e3e4655e5251e915227472f30cc180b9c52e646bdf066d8

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
1cc989752b81adc16d1445d0cff75bda

SHA1
99253cb037ade267c5c2bf7294a499d860c2bc41

SHA256
387bde2f08e03db8954d5407b94660a76f6bed21083c53164afccc7d924a2625

SHA512
777426faf7f05f760ab71eda708a44fc87c79b14a7ef8b3667458967f9021b80be9f2f7b5763997c45ca43151515fe734742c85a24438c145a94917de112bfa4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
5d46a747f7339b0282cd9ee2c8efc915

SHA1
4eeceebed31758438dbe0cf1dbf0d02e1a94983b

SHA256
e3479b35606ff7a7f3e4f2c293acde2cee9669af465c26f82c71168896b4cf0a

SHA512
8ab60446d37a44be0e2ebf909e1a9c27a10000fed8c403519946b9721260672f3593847c0ed81772c5c530cba9bf149ab8898503a6a914767b494bbee18961bc

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
81b3b2bc15f9260cd06c5f84f3d83249

SHA1
0270b7f89bf3df080d1ff6918ae6da6f033ac764

SHA256
f59b1d9e2dd9c15d7e3077944fc37e55df8e65e037815c8ee246bad1f98835de

SHA512
b5e1c098fda3668c72994f3151bf16f67aa67a95b51524af2bd941edf78d2c671ce432f7f15aae090d41e209a8232782b05ef341d4dbeafa5748c03a93ffe368

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
244bf9aec7a6fe7fc8da198adce6773e

SHA1
acd3911a31197555bdef2a3fe51e2a1220350e89

SHA256
551884935f4af7e4f1904777c52653c0dbf6f01a9d7fd420b1b9c42a55354e40

SHA512
3a2765426c9becd538c645b2a8d0ba8009db7bfd1745538af56b9cbcc85ce1832c5deca5dc55264de77f59a5f8b8278d6212acfcb2031becc540610f1a304d30

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
adb7b690eab6812eb297ccca315d67e8

SHA1
f20445f63aa1d09abb2c7d6da801affb239ce4e0

SHA256
11701c0defc9ccd487bacf283df83736f56d5afef0d166d0a1825e8d2e0cc9d1

SHA512
4d3fbf2cadb43414b61b38587046bfe16a8f1f70aa8979a14cf874de718fd0a924579ff93c9d3b406366c9f3187b914b5f767c57ec900df8db75700ffaf00fdc

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
bd56845acbbfbfb3686c90a802c68020

SHA1
1be2608377c731686ae291ba53444bcc183ea122

SHA256
743f0eb121f2e4bc6f20e76ffbea5efc54ee7462139392b20c64a724c15670e9

SHA512
6a4292b33014ec4d769478fa5cce5d450883a3b5b0d3f4159ecadca2bcd33d6da9f413f9bb4aea623fef8dda0887031451ffd686647bda98a9a27762b5a65010

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
19aa164c0a9196aec505f53c4e24aeeb

SHA1
19b74755043df46d9163f6561096f9fe2f485f45

SHA256
75a2cfc1852adf762f4224f9a5f7b743762ef14f84cc137ef88276e4e24db237

SHA512
5b4ddc7022568deee1f944d62db6b8a72b4d5bb55b6d9633f5bef7a5740dceaeade31e04e092035c4f439676e75cfcf381377f36a893c64cf5c2f244070bb3db

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1fa812d2fcc00736b621cc193287d029

SHA1
0bf5a489da444a48a40fbf5690a11bfbffce52c3

SHA256
4e9c4bf054f65f69dab7773f3853659a723b69f3ebca012f01f440f811302880

SHA512
b93b8e0e4fcd82d74c911217d0eb294c0440fa7b8349ccd46647badb545b1f4586ad4bebced1446bc52050decfd8ac2e2902cdf775507025ca1f9a5e3829332a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
26efe88fc71d5371e2a37fd0d408b047

SHA1
b8f36d28770312ecf27e0e9fa6046fb6ef744881

SHA256
8742b4d48b475779686571339f5532373eea12b225b39b6c36eb6cbeb399d590

SHA512
438dcc0d15801399efe6cd3c20cea563f429164c13bd99f0dc9d551350972d43726073c97cb5b50672466f668679510645ea247024ed5c8581d88ddb07143192

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
60b55ec620c641825cc75a42ab28f6d9

SHA1
5a54561daebe4883bef1da53dd4ecbf39fdf2032

SHA256
af024e921c91ef10cceac56a2e88118535347d67a493db747c1e88a5ec8ce89d

SHA512
209197906d46f7b66bb03b208a8f00ac7113ba70eb3ce1c33ce37d3c898270f128b046c98af42d6332b71b49ec4104221aad436b8b9242a4ee6062e9c02c2438

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f1552c90f356f43dd200698dcb8cfb87

SHA1
256f4bd322c02c774404a613b52db317c19599ca

SHA256
e012947c325cf8eb0110c8496769cabf7e81d03b6bcc499770b41899ab60bfc6

SHA512
defb119ff90c2325a6af415ca3f5ee844b4e33996e0b0bd8750fde744612818d10c04f8e0aa204309d9480ce4d77964295f57470135600d61c67a76c2d83be2e

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
0e5b09b92f89bed33cd47e8b8d69d91d

SHA1
8a880768751b524978f48941a64a98177c8e82d3

SHA256
93d0d093c86ae337ec8bc42d4e04b2afd114ff02c626267313dfc5d7fb56a033

SHA512
8673bbed97868544169b2d9b616e8a25eb15eb36d447a59379d583b7af983658caabaa05952e1a62bb84ae95b22f0221c71298da208ccad4d28153be68db76a2

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
8b030dace925672f931bd259c7858664

SHA1
23ff6507adcb04b21326cea8a94849137d3a3e9b

SHA256
7d69e1498b183c1accc59edd9e17fda36a82989aa7ecb05ec74c4889eab8e7b7

SHA512
64a60d872afc3626ea454dbffcd86f2a02fb2891c4c1693e5410427f9a48720ca2383a2d2855a37ef7ffac75f2ce5489fe35c1766cab210e54ddec5b7767ecce

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
a2312769a487b6a5238e12b20a64e073

SHA1
a00d2509c5cded4d1dfcb75d9f50dc6d2fdfbae6

SHA256
0101116d65e6f56b0fa1dec1f744f06d5c095d093635d3f48b2de397a1034283

SHA512
2f7a28f5237cf6826518fd70a70182c0d768834bb6fab442843a17c429fba7fb17f4ceeabc11bc127643f833aa666cfdaf27e5e2b41689bc76d1fbfc8916b6ec

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
81a6c4ca07b9aeb0ef0ee19a4e1a8dac

SHA1
54c86840cf7f97ed0e9a6d2745dc25558fae0b7d

SHA256
fc395a368c54e368adb7423891a65bbc3095752b004e53e120615239b89fc80c

SHA512
1ee6f4920c437df478847f53fb233db285738f84d759c743887f65ea5e4ef474d34e86f8e85646ebeee7dd2a2bd3919ef687ccb52c9d1b845540c9a56625f0b0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
68c9286e4f136e2831e4a91a8b659338

SHA1
2baa476a0e0145d7eea124ca77b4e9c33411b913

SHA256
6de268a8ab6b9fb1c47689e63d8990c97806e8ea69cd38ae441a7c8626aa7806

SHA512
606a2d7c69870d892ca2f3cbf687da095fd99330b7447df0b04aa81f60bf4709e9c370c505dc99450f21361ac3c7d5c07fd41b20d2a502671f03ac9350e034d3

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
4f7f947518310b63d4dc3fda72e1664b

SHA1
8fbe49c9b502cf82f6115146e13b36679e8b0918

SHA256
1616dd0a8a5ce956d009724286c68298644f9f6654a3a5feed503c6700aa3e19

SHA512
c416cc9653dc16c88889042b1fa358461e7517d681747cc157fa5badb787689d55738c068fd37feb055e43fc5d705faeb32d2fb99b4ab0ad2a827ff7b8b03b82

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
36ce2b6cad119c81a528c439949cd5c2

SHA1
f635102f17707ca52a99ae7082a91df76d1c4d6f

SHA256
0c090de79661e741558d04a5e53e617bf3a81c1bf4fca885509d6297f59ede52

SHA512
848fe3baf38ddf286b42c0c9a4c443d3851fb681a095e1311d0a312cb84a6e99aeee42f165d51174de98fa6ce862d6851d5ed3c9eff6aae5d323237f48c9e878

Download Submit
memory/116-165-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/116-399-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/212-90-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/212-211-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/700-179-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/700-414-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1016-564-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1016-218-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1576-563-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1576-233-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1576-160-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1660-639-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1660-227-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1700-634-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1700-223-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1784-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1784-28-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1784-6-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1784-20-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1784-0-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1916-438-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1916-194-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2016-117-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2016-23-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2016-16-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2016-10-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2020-446-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2020-209-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2812-148-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2812-56-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2812-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3012-30-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3012-135-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3536-229-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3536-640-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3668-118-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3668-108-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3668-217-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3668-114-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3728-121-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3728-132-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3728-222-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3768-86-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3768-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3768-82-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3768-80-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3768-74-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3984-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3984-193-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3984-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3984-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4060-137-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4060-226-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4188-150-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4648-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4648-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4744-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4744-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4812-136-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4812-43-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4812-32-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4812-42-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5048-234-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5048-641-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5104-439-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5104-488-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5204-410-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5204-499-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5312-423-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5312-642-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5596-448-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5596-643-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download