3d378f10f319596d716a05b2dd00cfe278baf8fb1c66d110d762bb775a72e951

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
Size

5.5MB
MD5

f6370852fb32bf69cfe1c03fc0876222
SHA1

1a634d6230bc539a37ec80bb137290a42b60abbd
SHA256

3d378f10f319596d716a05b2dd00cfe278baf8fb1c66d110d762bb775a72e951
SHA512

99c17e7afa3a86159591fdeb73fd66626e5d42e1e2a15872512c946dc8dc456a6df2c30e177d914628e505502307e5fcd7c50058fed36f5461d9831e087f3efb
SSDEEP

98304:cAI5pAdVJn9tbnR1VgBVmXHFdi4VEk0V:cAsCh7XYuLiJk0

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
1864	alg.exe
3116	DiagnosticsHub.StandardCollector.Service.exe
2248	fxssvc.exe
1196	elevation_service.exe
1760	elevation_service.exe
3812	maintenanceservice.exe
5108	msdtc.exe
3524	OSE.EXE
1016	PerceptionSimulationService.exe
1756	perfhost.exe
2112	locator.exe
440	SensorDataService.exe
4656	snmptrap.exe
2364	spectrum.exe
4680	ssh-agent.exe
2852	TieringEngineService.exe
1548	AgentService.exe
3816	vds.exe
1540	vssvc.exe
4964	wbengine.exe
2276	WmiApSrv.exe
2988	SearchIndexer.exe
5256	chrmstp.exe
5468	chrmstp.exe
5704	chrmstp.exe
5824	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9b8ca83b253fadf5.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_89906\java.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_89906\javaws.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133641453106849499"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000654fd89331cada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e124728c31cada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bcae189431cada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ce3db48e31cada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000090c26f8c31cada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b1c2158e31cada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4052	chrome.exe
4052	chrome.exe
6936	chrome.exe
6936	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2772	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
Token: SeTakeOwnershipPrivilege	3724	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
Token: SeAuditPrivilege	2248	fxssvc.exe
Token: SeRestorePrivilege	2852	TieringEngineService.exe
Token: SeManageVolumePrivilege	2852	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1548	AgentService.exe
Token: SeBackupPrivilege	1540	vssvc.exe
Token: SeRestorePrivilege	1540	vssvc.exe
Token: SeAuditPrivilege	1540	vssvc.exe
Token: SeBackupPrivilege	4964	wbengine.exe
Token: SeRestorePrivilege	4964	wbengine.exe
Token: SeSecurityPrivilege	4964	wbengine.exe
Token: 33	2988	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2988	SearchIndexer.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe
Token: SeShutdownPrivilege	4052	chrome.exe
Token: SeCreatePagefilePrivilege	4052	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4052	chrome.exe
4052	chrome.exe
4052	chrome.exe
5704	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 3724	2772	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe	82
PID 2772 wrote to memory of 3724	2772	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe	82
PID 2772 wrote to memory of 4052	2772	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe	83
PID 2772 wrote to memory of 4052	2772	2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe	83
PID 4052 wrote to memory of 3456	4052	chrome.exe	85
PID 4052 wrote to memory of 3456	4052	chrome.exe	85
PID 4052 wrote to memory of 4296	4052	chrome.exe	111
PID 4052 wrote to memory of 4296	4052	chrome.exe	111
PID 4052 wrote to memory of 4296	4052	chrome.exe	111
PID 4052 wrote to memory of 4296	4052	chrome.exe	111
PID 4052 wrote to memory of 4296	4052	chrome.exe	111
PID 4052 wrote to memory of 4296	4052	chrome.exe	111
PID 4052 wrote to memory of 4296	4052	chrome.exe	111
PID 4052 wrote to memory of 4296	4052	chrome.exe	111
PID 4052 wrote to memory of 4296	4052	chrome.exe	111
PID 4052 wrote to memory of 4296	4052	chrome.exe	111
PID 4052 wrote to memory of 4296	4052	chrome.exe	111
PID 4052 wrote to memory of 4296	4052	chrome.exe	111
PID 4052 wrote to memory of 4296	4052	chrome.exe	111
PID 4052 wrote to memory of 4296	4052	chrome.exe	111
PID 4052 wrote to memory of 4296	4052	chrome.exe	111
PID 4052 wrote to memory of 4296	4052	chrome.exe	111
PID 4052 wrote to memory of 4296	4052	chrome.exe	111
PID 4052 wrote to memory of 4296	4052	chrome.exe	111
PID 4052 wrote to memory of 4296	4052	chrome.exe	111
PID 4052 wrote to memory of 4296	4052	chrome.exe	111
PID 4052 wrote to memory of 4296	4052	chrome.exe	111
PID 4052 wrote to memory of 4296	4052	chrome.exe	111
PID 4052 wrote to memory of 4296	4052	chrome.exe	111
PID 4052 wrote to memory of 4296	4052	chrome.exe	111
PID 4052 wrote to memory of 4296	4052	chrome.exe	111
PID 4052 wrote to memory of 4296	4052	chrome.exe	111
PID 4052 wrote to memory of 4296	4052	chrome.exe	111
PID 4052 wrote to memory of 4296	4052	chrome.exe	111
PID 4052 wrote to memory of 4296	4052	chrome.exe	111
PID 4052 wrote to memory of 4296	4052	chrome.exe	111
PID 4052 wrote to memory of 4296	4052	chrome.exe	111
PID 4052 wrote to memory of 5000	4052	chrome.exe	112
PID 4052 wrote to memory of 5000	4052	chrome.exe	112
PID 4052 wrote to memory of 4836	4052	chrome.exe	113
PID 4052 wrote to memory of 4836	4052	chrome.exe	113
PID 4052 wrote to memory of 4836	4052	chrome.exe	113
PID 4052 wrote to memory of 4836	4052	chrome.exe	113
PID 4052 wrote to memory of 4836	4052	chrome.exe	113
PID 4052 wrote to memory of 4836	4052	chrome.exe	113
PID 4052 wrote to memory of 4836	4052	chrome.exe	113
PID 4052 wrote to memory of 4836	4052	chrome.exe	113
PID 4052 wrote to memory of 4836	4052	chrome.exe	113
PID 4052 wrote to memory of 4836	4052	chrome.exe	113
PID 4052 wrote to memory of 4836	4052	chrome.exe	113
PID 4052 wrote to memory of 4836	4052	chrome.exe	113
PID 4052 wrote to memory of 4836	4052	chrome.exe	113
PID 4052 wrote to memory of 4836	4052	chrome.exe	113
PID 4052 wrote to memory of 4836	4052	chrome.exe	113
PID 4052 wrote to memory of 4836	4052	chrome.exe	113
PID 4052 wrote to memory of 4836	4052	chrome.exe	113
PID 4052 wrote to memory of 4836	4052	chrome.exe	113
PID 4052 wrote to memory of 4836	4052	chrome.exe	113
PID 4052 wrote to memory of 4836	4052	chrome.exe	113
PID 4052 wrote to memory of 4836	4052	chrome.exe	113
PID 4052 wrote to memory of 4836	4052	chrome.exe	113
PID 4052 wrote to memory of 4836	4052	chrome.exe	113
PID 4052 wrote to memory of 4836	4052	chrome.exe	113
PID 4052 wrote to memory of 4836	4052	chrome.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Users\Admin\AppData\Local\Temp\2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-29_f6370852fb32bf69cfe1c03fc0876222_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7ffd08ddab58,0x7ffd08ddab68,0x7ffd08ddab78
    3⤵
    PID:3456
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1924,i,6215081291927365264,456071411743256830,131072 /prefetch:2
    3⤵
    PID:4296
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1924,i,6215081291927365264,456071411743256830,131072 /prefetch:8
    3⤵
    PID:5000
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2220 --field-trial-handle=1924,i,6215081291927365264,456071411743256830,131072 /prefetch:8
    3⤵
    PID:4836
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1924,i,6215081291927365264,456071411743256830,131072 /prefetch:1
    3⤵
    PID:1548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3044 --field-trial-handle=1924,i,6215081291927365264,456071411743256830,131072 /prefetch:1
    3⤵
    PID:2888
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4264 --field-trial-handle=1924,i,6215081291927365264,456071411743256830,131072 /prefetch:1
    3⤵
    PID:5336
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4444 --field-trial-handle=1924,i,6215081291927365264,456071411743256830,131072 /prefetch:8
    3⤵
    PID:5412
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4592 --field-trial-handle=1924,i,6215081291927365264,456071411743256830,131072 /prefetch:8
    3⤵
    PID:5456
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4724 --field-trial-handle=1924,i,6215081291927365264,456071411743256830,131072 /prefetch:8
    3⤵
    PID:6036
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 --field-trial-handle=1924,i,6215081291927365264,456071411743256830,131072 /prefetch:8
    3⤵
    PID:6116
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5256
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x268,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5468
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5704
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5824
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4476 --field-trial-handle=1924,i,6215081291927365264,456071411743256830,131072 /prefetch:8
    3⤵
    PID:4932
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2524 --field-trial-handle=1924,i,6215081291927365264,456071411743256830,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6936

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1864

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3004

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1196

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1760

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3812

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5108

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3524

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1016

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1756

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2112

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:440

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4656

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2364

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3296

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3816

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2276

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2988
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5732
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1e9d9d53b661f87e08ea66fa3c5740ed

SHA1
cc62bd17067b768c6227d92117fef4d6c8cd9d66

SHA256
6bea4086200ea4f590cf747d07d90a3e0b052bbc05233e2b8a099a87c9bd6a3a

SHA512
1d522765ae01c0ceec725734c9a091866f81ec996c0ab5c73e1ae70fbcec382d19d3a6bd14f7b3ec1112bacdee1e9c79fdcdae432d7c36507e3eef6b0d73d37e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
f1fafcb6ffd166b0ff801cbfcc5f5ac6

SHA1
3f32dae26509cda8e25ae9ac6dd53a0c2eba224c

SHA256
523756500d1fab0e3553677f5f349489b6d756375f47940ea495a0728fcaf722

SHA512
7fc6bbf7e2ffd2a8bf23841273dc8799994251749f544ee43ff6fbf35a47bdd20a2238e60d11d26169a3141403f82913588aee7525b1a57d03304ef655fb66a8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
9f48ccb1b7f67597be7e71875b1c01ef

SHA1
3164ac37bfc353b61795dfcc1e9934933845bd5d

SHA256
2b017119c962e1f80a8cef60ff625c9fc5bc8e3ff9a5cdbd8505815016094746

SHA512
408f1d30042da366dd20bf0662c8bd314bd9cf819ad456d61843b15df367bfdcecf97e48a08f54149865946943836771356c96f417f44ee31e712612b06fe8f6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
ec57a8f93ce033d680c68a77457d2737

SHA1
2aacf2bc28ade7e2ecb5c3d44987465fb0e69ccb

SHA256
21a804496434171d3f257a20a48b4650ce12b7b4e6c5278e6a00545ff5c0a753

SHA512
db9cde94b85265df4b797cc20b7ef9d5d414f5ed187c0e4d21522c8c848fa6ade22f297753fadbb62ab59bc99587e6973f60ef5dfdd16440958462ca4a3f0aef

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
114e13986484ad9e8210219f7031042e

SHA1
d725166aa1fc9223440ac756e29157b660099e14

SHA256
7972bd884fb666062a07cb3b7b3d32682a726ed949cebd4f3853a5494d81399a

SHA512
34d51c3ff2616ebf6c62cc00e650198f46f57046c671047d36a91e5426360c7cd4cd4df93054124a9c8a04425889a3ded0acc09090c1787fd009624d4ffa7eb7

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\94ceb4a6-3e19-4f57-8b0b-82ecc76120ca.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
a85e5add31f209ed527bf82ac0768582

SHA1
9551a7f1878b70b64d4ed23aa8f5d69cc6f272b9

SHA256
9b28265c7c93e93355a28432984cef0ab471397329c2924745ff139d2a585c43

SHA512
4e216dc0fb62569a58c05a34e91658cf481db11e2d27589f1cc556ed2e986bf6d999a51dd35a6cc98c59be97f9f64df3ff084bdd8b8f1739f4589e7c47e11bbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
104a143d597c58c8fcd35d2e069ab0e4

SHA1
c409c658f1f7343644906dd073898533c62ad958

SHA256
107d84aaf0fe4806e2f7b6ef75f2456a5e45afa0935a83e6b9889d5761a21fa3

SHA512
bee9f4c71a7466b33ad44540daecf452008e0070e56d9c8270d9dc2f267a43ebff4730e11888a02e3ef0f4e16770c08c6957d3cf6164f8adcc3b08644cf99e28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
149d6ab9dba2a37b1fc6f56d9aa37a2d

SHA1
94b3588a613eaee73a0e9bb9ebd0076802f2e38a

SHA256
a2e4d1e00d8e4022b3d979a93042bcc220210d81624139b52f4f2ae8c25c9422

SHA512
3c17bbc5c4f170f2520c5f38c81dd426045184d5a15140f93d98c8cc18369f71be0b3f503783d4766f625941f9d30c83aa6c27de01ee50008c506570cfb3f5fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
9a0635c54299a1c087f559e72e43f032

SHA1
497c1ac16c49778bacbe1e52841581ce805e0a91

SHA256
7dd2f49258f90eca41354db5d22a6b532ed95136cb604b435efec9791926acdd

SHA512
45b5bd0d41cd421ead788791ca60f2c62878d57f6d1f51b39f6b5adc32ca5dd14b9e0b2d5c74effa2b0a325fb15ca0e755fe9879886e0297c733f01419776fb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5768fb.TMP

Filesize
2KB

MD5
d917d97c3b6c9738b6c7d64102541501

SHA1
8bef2ea95a43a99f555131ee39968900da693d2d

SHA256
a19e2eff9ef2edd365b1a025e04d95cad5b88513a76a165c3064a223be7ba978

SHA512
bb62099154a7d9df3b4ac848b9158b7022a588745693fd01a1e1c0859280b5fc9c247d0ef6dcec85618a2a778daad7c2e1251616ddd956d661ff4842d1cc9fd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
11650de5517333e7cce873c37fe86b68

SHA1
5657ff96ba1405bf15580db74a2a3affa71622f1

SHA256
3d4b6bbfd03575e4bd0ace2c967260d80446d22047ed660214c01ceb74d12833

SHA512
f751da93cc1cf3b1dd784f6902924052e861e2c571c181b286c878b5ec94940a9c19fba341a2dcd7fdbf83316bf4cc26b63d93bb629dc38c97b13c6ca96c1598

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
281KB

MD5
8028c6da3ed2f11651e3dfc65229b9e3

SHA1
3403b030170adaf65a0417240da50568cd9e1cd0

SHA256
af76956e6db56028286f3099bb5131308901a736666dbf48e897a67b757b026f

SHA512
2b5cacb92151549988b0b9c9427bb23d7c0e3af7b3caa03efabddb369517bd9366254f92a120196d1d286d6ceb0583125d6447b26775ac26c853d2dd662de45c

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
e699863cca4f29f2b3ac73ad92c032c0

SHA1
a25a514be37100092336e910ccc1cadca9702650

SHA256
d1156e4646db734b4aed2c87d5f87b97ae54e91d904dd185b1d3a6fe09facf4e

SHA512
74f3eb92f6708c4f6a4c385d2b9a4cde3267ea8f266ff0ec326d2ff6faaa14b94b726c848216dc33430bcdeef4fe3cf9d0b24509c376686dd1b3543d537c8b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
8677da5a0848b45c6dbdea500033837d

SHA1
0862a26b498766e0a4c2b5b2c7bf06af15a26e66

SHA256
e4274e9031f96b3750b7482faca48065aef39a4d647e88ae32bf9c8b11c007c4

SHA512
a9a4bb947bff6cd569568b1d626436385d22cc6e4d4ea160fc6c3c20e32c78f12cc8116f5e2333931ec4281822ad857f1a114f1a6d03cad585a0726453059569

Download Submit
C:\Users\Admin\AppData\Roaming\9b8ca83b253fadf5.bin

Filesize
12KB

MD5
9cc2411e96b7839c85823f0eddfd343d

SHA1
ec19881f9c1f833218219c8429b4c505672fddaf

SHA256
34ab40437a7fbf4747433a4e6ff0d95e1cd672741f85a3ec6a0a56e316cf5bf7

SHA512
b55949fdd291a026311b57f2d73b6b32dd8114c2a3a98aed331c1f71a79e6134b8e0243e296e7b381e1f3abf791b00ffc7299375ae8e3b2245bb18001edc2758

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
0e73e065edce9c9133f7c8b75f07ba8a

SHA1
35807b603bdce15ba675817ebfd87f909b37e6b2

SHA256
e3fdec3c941d111d376cda4d7d0e3520016b072128b45606bda9398f5142d0f9

SHA512
a12cbbe8aedb0a850341cd6204cdb97ddd685a19f3beb4b8ac08502417089b7387ec1625d79f0596bac7d19dc124903e3c6b1f7addab3ea7fddf6d7283b997f1

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e82e1cab525ff4891332adcfdec80ddf

SHA1
b6c93461e514350bf0e23e51eab477d43759cf00

SHA256
6107ca4eedc86308fe26a6d6a88a9e44a91609c47684a26637f41c7b0967be61

SHA512
5e07b361de1df31f127447ba83f69b5e0ce48383b7e9e62496e9d6bcb948c43547eb4c2fe0e2ed38a7b85c608b8a32971c8da356fe645751342ef581c1703b46

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
a73d9f92fed5665d1c2c827283b1b599

SHA1
e72d7d697aca2bdd708d798a62dd84eb5435f5c7

SHA256
cc90b3c1e5f991ce88b6d76b8827a8c6d3bb2092fd36ebf5e50a9c1ce47e2d6c

SHA512
5f87dd78be21f53c9408b8c4703284eaa1f161872dae0d92083a98006d0ca9df3015e0496eef089eeffb827d544bb085bbceadd718f0269c96bac6e30adc69f7

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ec99acc41a2685e26c0954921d83f3c4

SHA1
8df1b44c44b5267148b6b69e41683b96eba65b59

SHA256
4fc918e1631007865b0eb1a670ad139b6b0472602f84d3e6dfd0a507ec223c25

SHA512
7b399fec35abf5556042404c1e20c2fc8305ddf0c54e3a64fee0f3b710b66be489f6e4663e7e58900504ae90db074b989dec054ba24d0abc22d0983fc3b02ecb

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
9b67231fc165ae592954ceca430df8f0

SHA1
5c40eded48b3dc19ec099d7a551438c51d776f54

SHA256
0feff03c11d9243d7255a971356527eb8970a88cf14df6872d895b2c42337b51

SHA512
9adc8fe8221112f37754a80bd758b79d4c931bbefa6bf897d8a85de3f3e32ce4a32174cfd9f99d9999e33cdd7e996332cf4d4a397c29e8b0da1dee699487d136

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
468e415e9f8e6045527f46ca593aef40

SHA1
d5519906ef7e335ab4329156b9a07969dccaa40a

SHA256
3df2faa392a2bcc4c1f59361def10a0d44c35446453aaf54918bcafcf9f26c3f

SHA512
cb131bd60fd8a5a049cb889ec9cef09b866fa377eb22977869464966fa48ba72be3220b01e3504fe4cae0c00a22900eceab47bef84725f07d4e5e825ba850b0e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
89947a0501ea08b81886824cf51e85fa

SHA1
86562f4519229f2af2df80188372cbf57274d978

SHA256
782fa10f7190a0898bd364ec519086839d77f9e3358354ed547007e16c2009f6

SHA512
b6f4aef8009ecb40897c595145abc36a7ecbbb3246ccc7d39d4651866b7e89368993990e8560cf8e28607c30e1741b9a114de02f5602004cfdb29e1fcd3d1e76

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5512765bc3d605588a736a214f8e58cf

SHA1
e9f603e670856c2aa35521efebc42765c487bed3

SHA256
7ee77c7d0da64bc07c12e424af926b2740b905ea17380a865c75468c522d1c38

SHA512
9ba1966c22c25fef53d34d0be750dddcc43bcce82cf058dfdfdb1271d4c8ed54d93e7ed11ce3090b7ee561e906215f8eddace666bd83bfbb8e427f34f671ff21

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7a097d5ed0153a7683ab61669c60bb89

SHA1
885c63c273c98b942242b449377fcb3a53773d79

SHA256
93e4b12dcadc798787b0e7a93d2b75328442cf917162da48ba7b23a3b17b36fc

SHA512
37da16a892372105d6f1511765ed7d449238a6c4388d0b36711e57d8fe4416fd71869e6ed2feee14aa03df7582ea6f8d9cf5cf23ef93008518ac004bbb36900c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c2172e5af0be4e9b0d80bc3be9dd5410

SHA1
de1c6ec1563871bf90e0c009727a7b97a4d471ce

SHA256
27921a70741ea673dcb7862fc24fc7898b635ec772a66da871c5f17a6d4e1170

SHA512
40c95a8ce0a450813db91b5088512c80008ce8158d35a96429319251552e81eca25625e71095cb1927da4f82947608466220435731aaf6444ad4faec4afe590a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
6b6256eac04174527e8ffd20e2c6c213

SHA1
cdbf603f87424a429ee4c72183c4750f8918c1a4

SHA256
8c7d64c57cdab55de3479b6891f44cc311a523b5ed8e923c5eeb410412197156

SHA512
dd6de3cf152c931261dcb0be45c1e64c2e7f60f6d121ebdd1e53b5378fa30b6d1680c156be46f005952282efa39135dd84458ca2341c7a9569e136ea727f359f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ef18f8dbbdf1a7308d7a6e74aab2dadb

SHA1
ed6182536e5495ef08d1ea92db7587a9f3e6bc89

SHA256
774e043398ce4ac932660b83ef8cda4866e43da3252d7cc23c662e69827b6101

SHA512
739829f57fd5d2cf162ecc88ebf25ee70e6b70c1ae7679e44b6b55a86a204c4de5ea88716a6315eaa335534d6b412180ccf781fc95dd3b81f4ffa3cab211eb13

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
66d45c369848056dcf4d453d021d9c28

SHA1
25aa2284546b0da5b8df3834e2bb2b2dd6535b74

SHA256
90851b0124f43af3b221348000bde71462e59f9b1fc77eb81cc436852e06aa2f

SHA512
0c65ca13c49f742f8ccf3b7e65981b9531136e9cc113ae216fe3a5ba8188292b3e573cd548a2b345eade871fdd1ab4eaea212c017b42299372be8d2ad84e10f8

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
18e9be04d04540b4fc28902e53f79d22

SHA1
1337c1357c501edd8d834eb98e3dc11a1e1abcb9

SHA256
eff974e9f4dca92dba588b00559590bbdc3b8d82d107695261f1bd1f03636bd3

SHA512
f7da43566ad6464ed679a3eddc59e4d1a96201086540e563620fb007636c37ddbda6a6a990f8bdc9586be1319cbf44a362eb03dbe6dd916ac5db74957d0cc824

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
fd6ea6537c81bf19c73aab24e41dc50b

SHA1
39c2975b3a683e4f7e6b488b282dd9b657f6b43b

SHA256
a799ba42df872d69c699ba39c6a83423ce92f4ab16869530ba90dafe22d102b9

SHA512
18a4662b25aabbe882d06791185e33cf15da3abf23554d421cb6c15b2e07f7341e9b978c07270886714715ef19b385c6a34517669a3277f9f47081300bb651f6

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7f8723b8ecc33c3ae46c75cdb31c2019

SHA1
99b2e586836bd76b8fde9926d551ce7d1c24a9b8

SHA256
f21a89bed50f9f5de8bbf3996a01670ed6874a916a746db54a4d7223147bf5f6

SHA512
b1840598775875ca958d505900cbb3b14c8e02b8252790add8127c020fca770bc2110db5e9ab9c9f431747f38aedb83bf19c238d6ea375e9f3d2f7854b5a3e9c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
d3b4bb91a569950785f0f0ff58a77243

SHA1
735afd3133f3e0b2454d267feea04b0aae9aeb43

SHA256
3ab90ad26a620f9e70345f2ee13c0ec09db86c06fe6c4dd8274a4defa5b1e2c4

SHA512
87f84cf7acae18c4cca46b09c609d74c48cd12f04cff00567fc81b9ca3cd82eeb17740cfe146115345110eb29fb6542e3a0c34dadcea6bb6fe829e76ce79c9b9

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b5e20f1415347f0534114deba4fcfa19

SHA1
f392e8b859ae1526d88adf162bbd173d55ddc7bb

SHA256
548898da4bcb6f726b3a0d5145738c30ecc1ab76e75095641ad0c40e07ce56b6

SHA512
a0fb8cc1931f9778ba898315a127345e2e1f7caa2dadc5c64c91144d90c010320e376ef5a51407fc0215b6737fcc92f7b2cf240c53a74df795b10be5462f9b8e

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
19e6bd8510d0b56293f14196bd0c0149

SHA1
0b83afb532b210dad115fab4c596b0eaa16eceda

SHA256
7594ee0213326ce521672be806885c4bb3c3e0f1427488f000ccec459de6dc43

SHA512
af7e7408292d05c78d1c7fc23c2e854713b2146259e39ebd54955ddfd702b9cad7228019b2e3ce0368130f9394b2059e2c016fadfa1286a055380a2ec31388db

Download Submit
memory/440-606-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/440-279-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1016-276-0x0000000140000000-0x000000014018D000-memory.dmp

Filesize
1.6MB

Download
memory/1196-66-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1196-72-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1196-85-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1196-448-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1540-285-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1548-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1756-277-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/1760-82-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1760-647-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1760-76-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1760-86-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1864-31-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/1864-25-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/1864-39-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/1864-564-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/2112-278-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/2248-55-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/2248-64-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2248-61-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/2248-104-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2276-287-0x0000000140000000-0x00000001401A8000-memory.dmp

Filesize
1.7MB

Download
memory/2276-690-0x0000000140000000-0x00000001401A8000-memory.dmp

Filesize
1.7MB

Download
memory/2364-281-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2772-6-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/2772-21-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/2772-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2772-0-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/2772-36-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2852-283-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/2988-288-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2988-691-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3116-52-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3116-51-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3116-43-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3524-275-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/3724-523-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3724-17-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3724-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3724-11-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3812-89-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/3812-101-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/3812-88-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/3816-284-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4656-280-0x0000000140000000-0x0000000140178000-memory.dmp

Filesize
1.5MB

Download
memory/4680-282-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/4964-286-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5108-274-0x0000000140000000-0x000000014019B000-memory.dmp

Filesize
1.6MB

Download
memory/5256-524-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5256-601-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5468-547-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5468-702-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5704-562-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5704-590-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5824-703-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5824-565-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download