85ad9534fcce96cf6c5c552a16caf7477c09182b66642769ba7c90d89024ef80

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2024, 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
Size

4.6MB
MD5

98782e5a1ff07499541f24473553bef0
SHA1

876af4e3631e267d73182915db34993ea855edc2
SHA256

85ad9534fcce96cf6c5c552a16caf7477c09182b66642769ba7c90d89024ef80
SHA512

1e696526fddcb911f029ac5b831f898411b4a39459ade10f5937b36ec6a27bdc1d0f1352c1dfec9ef5a26f911236e14308645c866de8d85540118ecd8a4f5128
SSDEEP

49152:4ndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGX:y2D8siFIIm3Gob5iEkehgL5

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2688	alg.exe
3128	DiagnosticsHub.StandardCollector.Service.exe
2336	fxssvc.exe
3232	elevation_service.exe
4636	elevation_service.exe
4908	maintenanceservice.exe
3360	msdtc.exe
1048	OSE.EXE
3052	PerceptionSimulationService.exe
372	perfhost.exe
4844	locator.exe
1344	SensorDataService.exe
4924	snmptrap.exe
3600	spectrum.exe
4012	ssh-agent.exe
1952	TieringEngineService.exe
4248	AgentService.exe
4888	vds.exe
3836	vssvc.exe
3856	wbengine.exe
3768	WmiApSrv.exe
540	SearchIndexer.exe
1544	chrmstp.exe
5468	chrmstp.exe
5612	chrmstp.exe
5704	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fef093604ba38143.bin	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{939A4C0B-9326-4B5C-9760-544EC9BBB40C}\chrome_installer.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_108875\javaws.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005b908d8844cada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b7bc9f8944cada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a847a98944cada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3f08f8844cada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eb88098944cada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cec8a78844cada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000079dd9b8844cada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000332e8b8844cada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c733b58944cada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab419e8844cada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4920	chrome.exe
4920	chrome.exe
5408	chrome.exe
5408	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3040	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
Token: SeTakeOwnershipPrivilege	1144	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
Token: SeAuditPrivilege	2336	fxssvc.exe
Token: SeRestorePrivilege	1952	TieringEngineService.exe
Token: SeManageVolumePrivilege	1952	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4248	AgentService.exe
Token: SeBackupPrivilege	3836	vssvc.exe
Token: SeRestorePrivilege	3836	vssvc.exe
Token: SeAuditPrivilege	3836	vssvc.exe
Token: SeBackupPrivilege	3856	wbengine.exe
Token: SeRestorePrivilege	3856	wbengine.exe
Token: SeSecurityPrivilege	3856	wbengine.exe
Token: 33	540	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe
Token: SeShutdownPrivilege	4920	chrome.exe
Token: SeCreatePagefilePrivilege	4920	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4920	chrome.exe
4920	chrome.exe
4920	chrome.exe
5612	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 1144	3040	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe	83
PID 3040 wrote to memory of 1144	3040	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe	83
PID 3040 wrote to memory of 4920	3040	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe	84
PID 3040 wrote to memory of 4920	3040	2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe	84
PID 4920 wrote to memory of 3020	4920	chrome.exe	85
PID 4920 wrote to memory of 3020	4920	chrome.exe	85
PID 540 wrote to memory of 3032	540	SearchIndexer.exe	112
PID 540 wrote to memory of 3032	540	SearchIndexer.exe	112
PID 540 wrote to memory of 3356	540	SearchIndexer.exe	113
PID 540 wrote to memory of 3356	540	SearchIndexer.exe	113
PID 4920 wrote to memory of 3144	4920	chrome.exe	114
PID 4920 wrote to memory of 3144	4920	chrome.exe	114
PID 4920 wrote to memory of 3144	4920	chrome.exe	114
PID 4920 wrote to memory of 3144	4920	chrome.exe	114
PID 4920 wrote to memory of 3144	4920	chrome.exe	114
PID 4920 wrote to memory of 3144	4920	chrome.exe	114
PID 4920 wrote to memory of 3144	4920	chrome.exe	114
PID 4920 wrote to memory of 3144	4920	chrome.exe	114
PID 4920 wrote to memory of 3144	4920	chrome.exe	114
PID 4920 wrote to memory of 3144	4920	chrome.exe	114
PID 4920 wrote to memory of 3144	4920	chrome.exe	114
PID 4920 wrote to memory of 3144	4920	chrome.exe	114
PID 4920 wrote to memory of 3144	4920	chrome.exe	114
PID 4920 wrote to memory of 3144	4920	chrome.exe	114
PID 4920 wrote to memory of 3144	4920	chrome.exe	114
PID 4920 wrote to memory of 3144	4920	chrome.exe	114
PID 4920 wrote to memory of 3144	4920	chrome.exe	114
PID 4920 wrote to memory of 3144	4920	chrome.exe	114
PID 4920 wrote to memory of 3144	4920	chrome.exe	114
PID 4920 wrote to memory of 3144	4920	chrome.exe	114
PID 4920 wrote to memory of 3144	4920	chrome.exe	114
PID 4920 wrote to memory of 3144	4920	chrome.exe	114
PID 4920 wrote to memory of 3144	4920	chrome.exe	114
PID 4920 wrote to memory of 3144	4920	chrome.exe	114
PID 4920 wrote to memory of 3144	4920	chrome.exe	114
PID 4920 wrote to memory of 3144	4920	chrome.exe	114
PID 4920 wrote to memory of 3144	4920	chrome.exe	114
PID 4920 wrote to memory of 3144	4920	chrome.exe	114
PID 4920 wrote to memory of 3144	4920	chrome.exe	114
PID 4920 wrote to memory of 3144	4920	chrome.exe	114
PID 4920 wrote to memory of 3144	4920	chrome.exe	114
PID 4920 wrote to memory of 3988	4920	chrome.exe	115
PID 4920 wrote to memory of 3988	4920	chrome.exe	115
PID 4920 wrote to memory of 2164	4920	chrome.exe	116
PID 4920 wrote to memory of 2164	4920	chrome.exe	116
PID 4920 wrote to memory of 2164	4920	chrome.exe	116
PID 4920 wrote to memory of 2164	4920	chrome.exe	116
PID 4920 wrote to memory of 2164	4920	chrome.exe	116
PID 4920 wrote to memory of 2164	4920	chrome.exe	116
PID 4920 wrote to memory of 2164	4920	chrome.exe	116
PID 4920 wrote to memory of 2164	4920	chrome.exe	116
PID 4920 wrote to memory of 2164	4920	chrome.exe	116
PID 4920 wrote to memory of 2164	4920	chrome.exe	116
PID 4920 wrote to memory of 2164	4920	chrome.exe	116
PID 4920 wrote to memory of 2164	4920	chrome.exe	116
PID 4920 wrote to memory of 2164	4920	chrome.exe	116
PID 4920 wrote to memory of 2164	4920	chrome.exe	116
PID 4920 wrote to memory of 2164	4920	chrome.exe	116
PID 4920 wrote to memory of 2164	4920	chrome.exe	116
PID 4920 wrote to memory of 2164	4920	chrome.exe	116
PID 4920 wrote to memory of 2164	4920	chrome.exe	116
PID 4920 wrote to memory of 2164	4920	chrome.exe	116
PID 4920 wrote to memory of 2164	4920	chrome.exe	116
PID 4920 wrote to memory of 2164	4920	chrome.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-29_98782e5a1ff07499541f24473553bef0_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2c8,0x2d4,0x2d8,0x2c4,0x2dc,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc808aab58,0x7ffc808aab68,0x7ffc808aab78
    3⤵
    PID:3020
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1908,i,3093009859181852775,5575163926528322704,131072 /prefetch:2
    3⤵
    PID:3144
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1908,i,3093009859181852775,5575163926528322704,131072 /prefetch:8
    3⤵
    PID:3988
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1908,i,3093009859181852775,5575163926528322704,131072 /prefetch:8
    3⤵
    PID:2164
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1908,i,3093009859181852775,5575163926528322704,131072 /prefetch:1
    3⤵
    PID:5028
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3096 --field-trial-handle=1908,i,3093009859181852775,5575163926528322704,131072 /prefetch:1
    3⤵
    PID:3692
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3600 --field-trial-handle=1908,i,3093009859181852775,5575163926528322704,131072 /prefetch:1
    3⤵
    PID:5288
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4476 --field-trial-handle=1908,i,3093009859181852775,5575163926528322704,131072 /prefetch:8
    3⤵
    PID:5372
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4228 --field-trial-handle=1908,i,3093009859181852775,5575163926528322704,131072 /prefetch:8
    3⤵
    PID:5448
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4680 --field-trial-handle=1908,i,3093009859181852775,5575163926528322704,131072 /prefetch:8
    3⤵
    PID:6072
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 --field-trial-handle=1908,i,3093009859181852775,5575163926528322704,131072 /prefetch:8
    3⤵
    PID:6124
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:1544
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5468
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5612
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5704
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4692 --field-trial-handle=1908,i,3093009859181852775,5575163926528322704,131072 /prefetch:8
    3⤵
    PID:5644
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2552 --field-trial-handle=1908,i,3093009859181852775,5575163926528322704,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5408

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2688

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3128

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2172

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3232

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4636

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4908

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3360

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1048

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3052

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:372

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4844

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1344

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4924

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3600

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4012

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4076

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4888

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3836

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3856

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3768

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3032
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
6b6724cd5e7902eb0c2b4526c3328fe6

SHA1
80616eb177f5ea4bff538bc0fc5f357fc46dd45a

SHA256
cad5f1ec7d1341cd5d3d779e7c8a89fd5f882516bb9b4165196ff8b23fd443f8

SHA512
510c84528673bd18955b924dcdff4aa6e2c57b0fb45189e5edc29c2a6e7ca826cf5f81b4d6d10940fda6d24de1a86ae357306e07aa431b0280f4ca5052f8a43c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
74d7384264ef07d344346ea317eafd92

SHA1
bcd3c52938bd081b92444e2838547a4c706cc62b

SHA256
fc2ce4c946ade54dfbfe981ef8b0bb1c53ab326535c67e92a0fb465282c27f17

SHA512
e1c08404d6047c6dd8b5c2d28b1dda756ee6a094c01f6ba595e7b4a646ff8ba6a0aa2a33ac796f31a5f4180b84da1b4816f37ce5f3098735527f84dc8ca1fd8f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
b184e761fa4906baa69cde3ef87858b7

SHA1
f307cb35d1111a88a39b8b8461d5661abe61b6d0

SHA256
4d0699c6bb4ca7bd6c76174e3e7aa033b677b9d6adc674f76f601a9cd414f6b3

SHA512
e7b8a3f63b4ba6abdefaa7c18f26147d188327c3ec6150c480e6066fb9d43c2e20d607f26accbf90029df53e799584e163f163f6cfd778b998ba2630d34a090b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
f09e58a312784385db429ccfe03ee882

SHA1
bac58345edd9c52135507b061d703071e4b44a61

SHA256
a57bf6000d6324538dd4bd87d154991c14da08b7ebe089f5ca61a4be6d202bb3

SHA512
f8f2885b7cec1c923f675fb99b3461e12f180ce8331ea185f17177df0b5ee98f060661df9b96c294d429b11e13ac60b1ed63ea535f2208507544a7f8220571cf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
a49f1ccc1904a4c36dfca345b8d69fc2

SHA1
7e4d46749daec09db1d6e5c934ad4d0023ef84c3

SHA256
53e7fc085a266c181745a4fc30c489bd5e21e9f2ee2f6ec81066c40c3d73d7c7

SHA512
b679ce515c710fa6bfaf21bbca2d0a8a27e14ccad81ca0719fd13a4b9c73caa6460d881070fff6dced627a7daaf36e0a286b1d7b7e018cc20ba1f2e88fcc856e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
efdf336c3d3a1adb92b2ad84b9e0ddf8

SHA1
d12684bf46d8efdc7fe65d72974a64f8cfc83aae

SHA256
a3b64fe67ea4be6fd1cad4f43ab347f08f3c05afd11552101ddc5f80fd3e31cc

SHA512
d47956132f95e0f8c31b0d8e8b23a7748b4fd39b6acf746e65600499bb6dac8bf3ba64843a090e41066de86eadd02aeb9c1ebd3ab9cdee4bd9d7867febbb696e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
7e79c6e1c370941cdd0c80afc7e98b23

SHA1
904214f44d02aa752f2e158858bf5a833b3061cd

SHA256
8ae77c5ba7d994e19a0570d29866ab6c29a396d8e70a45abfbc7d26f7f9ea723

SHA512
6fe84eeb8532ef447d5b4df27cac72439cdcb28510d7b8e38ea9ef8def687b4a717f437773945ce3ef804d8e1d882c5ea8e62b5570ae7359b55c7b8ec690362d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
e1136fa6a422a4ad19c7112e8d4df127

SHA1
8533cd7fffa6b17a45fb71eba44ad74aff6990f2

SHA256
bd185b5df47ac7990e2258520df8d810c87ba0ccdb9d6023e33fb01abe7071c5

SHA512
03cb9f4800ede952665df59b3832cf1f52478147601dbba3bd3ff761e6d4c200494c66c8162d686a9e9c6acf87a80b8ba11a7e57e6b8fb27e433f02a9cdddcf1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
0f3f482c9660ae75d38f17fb094557f9

SHA1
9f0006db7310c1ab44071ff6753f11966ae192a2

SHA256
81d8fbd9022f2b4df0068a51f763c6de5f72576b92fdb50c49f6c9d1dd75016c

SHA512
7491516754e9b47aff14a0386511588c4ddad39289bf3469a2d1809954ea668746ebe9e0ee67ca8ebcb0a74159a118f408cdb649f159e9163b05726008bb4dd8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe578b48.TMP

Filesize
2KB

MD5
e51001326fdb734e7394cf6934f68920

SHA1
74a5c58398f50ab8cb348ab623ab2eabaf5479a7

SHA256
6df4e90ac1fb8ee68b75eb0f6b8a930a9e812999a273e10c5e5bbe176c435292

SHA512
dabd3ca58ec0bb351def0960f104150364f950ec29c33e090afbe542865bad9e08d2a19113b426f512970df237adc0ad5d188ac9c8fb42b17616630d3578d877

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
9eeed4aa5ced85e35585e742ade0ca9c

SHA1
2960b7ab4277741a4675872bb00d1de6bafb3c0d

SHA256
832e62dda3fa57b104adf30c738625d7ddc25f84434e837d3e12a20852691e1b

SHA512
fee19e5a36bbf5978284e55dde075d15789e825c7053cb3b4cba7858ad0d0a466908c96b8862df002fc407fb37ee7987df1c9ec601e20aeb038ece31ff83f6c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
281KB

MD5
3747d788d6b3c62be56f9bc4a8efded5

SHA1
f440622c965516f568fc77c901ee422ba5c31f42

SHA256
d4df24c34f631975e36d90e43a35644d270600619166f3624efa2a7a8b048a64

SHA512
e13a1cb834c4d966e5c13cd9d72951fe1ca01cbefc39d03a3d9be3c94b6e2f66e2081221d55a209851e794e08b2efbb6827cc98b11fb0727d6bd8de22f0b40f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
4172747145e80161e3c41920c71fb355

SHA1
5366c704088ecbeceed6f55009df9369888bdde2

SHA256
92eef3d4904849941831b71f0bb3b7d83d7fcffc54b61d2da9d5981a57e37524

SHA512
4736b0a9d8857c8cb441f17af2754742ee8800ef963800db4098565658b004760ace03bb0957def8b2bc375fc44b5b80eac292f477697962156c0156ff408580

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
c3d04667e96f89d0789dd24319c5fb85

SHA1
89431785135fe26479d98b0fec7db4020c30441f

SHA256
358a9a5926d2ccb01d9596176e59c058ade03d970c8ce766c521f7daa70a1912

SHA512
87a98f54a885e291de32810c29387c6751b5b73354d43fdbfa45b015ed261803368b6130aea9ec632050021a0157ce0d9d13ff7e1febcc389fdb99c6d456f437

Download Submit
C:\Users\Admin\AppData\Roaming\fef093604ba38143.bin

Filesize
12KB

MD5
796147d8f1347831971c7c1d42aadd7f

SHA1
94a65b3dc0219557fac9bec619e8d0ac7a2dc465

SHA256
fb8cd8e4e205923c4043b1dc9dcef65cd07bf9161d7628b0a2b7ffef3bb17b43

SHA512
99466bac62f80c3b0a18055e5df86c74bf49fe031d3151f3e370a835b9d849d9a3b4fde6ad40041c9c4fb3fafbb03098f364c793b1545b8362b1a5879c5bf332

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
f858cd9543996241ab288bc3745287c0

SHA1
1d7b82b1ca466ec53f001582e1a6ab3912f9b3f1

SHA256
1ebe55eed1989bce68400322e7182b2a639225d0b90570b10efee1edbe0e2335

SHA512
aa84c2963e4b5d353da86f775945af4ca5ee27b3e9fade39ba5a959abf59a567c333906613abe165565df0fe1a371161374a2101f447da0c5b1b4bd6cb6dac6a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
31d638fdfbe86c62ce91a97eba1a3b9c

SHA1
09be4691a83640343a9f26582b52cfd7ff16a584

SHA256
fa25f9a44cfb138b41ec82f5a604ea8ab6f8a0c048bd691020a79740728734c8

SHA512
2a15e6dcc4ddb461dfe83ab2fa3ab0e9c6f0c1501d962ae49cfe08cba8886ef33b6af31df96729f1e845489cfced79d51748bc5cdbf6ffd86c85ca7b4ccc6b50

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
08dcba72d7c6eecfd666045e11ea77a5

SHA1
62be9f88859856f09fc589b0e0c5503e0a4c0bd3

SHA256
18552a1a06d7a7b4c6c9d56ca09b2c2f2d4e886832e61070bf558409a94ea906

SHA512
a63e7015ea198fc2101bc11167c0553da699d4a8f1d6ab3300f2fbb965caecd99892851f15773209d6b9655bbb3f933c0223d395801f42c6d82ffd8613467baf

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f244feea28f856b89427aedcef5abfaf

SHA1
5bb0c732c0aca8a8928f73ede15683081404f135

SHA256
5dd15375a64c48d313b65637c038e4e21d877d10544a1bbb53121c3a4ea38780

SHA512
4989766e83b78a11f2dfab2d99aa5d27a70ce07357db089e2910885fa3736649768d76a33260cb9bbebadfb6cc42b7548cc75f2bae64a00018886299c282461e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
00aec099acf74a47a4187ebccac530ee

SHA1
81ba33a778c30e92bad3fddf1dce900a33ce23b8

SHA256
152632b86350596b84d54cdce69cf393f61a22e8d86be91e572ebb24e67debe1

SHA512
7434d32ab45709a1e862892b211eb6ce77d836c6eda82a1296e84200b1fc47c406d88bdd01e4faa6efad2a49e57cb8a866caf001936f935f656c19effc3f0f50

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
a3f00a8674bce57dbe40b04b2ae7beab

SHA1
2e03d0d2348cfec6e3688f6bad27a2c22f7ce9a2

SHA256
d17fd0ef8f3052ccc10bbaa3f843ae88da3e5ea54308e96c8ae8086acec316a3

SHA512
29bda6eee181d90cdde4517c25f3d035850ac117825f3735648c0f9c1ca94023449e26d4bc8c540a22cd786261ae4ffdd7ef98e08f8ee78423ee2c8af0c4fd23

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
ce474b182a131f474c8fa3b352fcc961

SHA1
97a702b42349fbdcfdb9e9934ca9e0f3b1e6c374

SHA256
167ad96b0eadb9346141db7080157bd98cf0518ec339214accf35879073b9d6c

SHA512
8f275333446464b1007912a27539dc015a3d30e0843eec873ee28350d247baa8fc2fe793ce99231991456e071a7925187c3e53d9b9a491f5501015a276fb090e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
3478c4d73e861023bcea4ee4ce496dfd

SHA1
c53a2314169ff587ea09acc2d3d60cf3c6136533

SHA256
19db67ca858dc380d6f99b9473544e41bfa81ed17243f137f617784732ba2ebd

SHA512
9a63c3c5736cbf417be6faf8265938c1d97aba68bbe9d20a87935b2b6be3fac14a023d7980066d581a04b710b68568bc9369441da91b7a1b569bc8c189c47e06

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
480ac8192fb163cd863e0f56eecd7658

SHA1
ee902e3d42f3733c046d82d3b63256a84066cda0

SHA256
0e915373b9bec800aae656b3ef7986a94a60f8fcde30e464992311f97589f6a1

SHA512
33b1b571d0dfdead399e9f15fdd72f4e4437125ed6a3483eb09982ce96fe31259aa7ba85af91c7cc9d64c4913d48a684bf1d2a3e01bcb71011e12175e37e794e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d09170a97dfac977577b42357e1f2090

SHA1
c50e25d242f4f7539d30af76ac3aa5219ec33492

SHA256
038b8cc3b62b3db6c47fa49606006ee0a39acaf0eb7534521cd58f372c9d14a3

SHA512
21facbefebb0c18a02edc115a11b6257a07ccdfce9b625219ff37a7c61409f3f229fbefb8d5ad963ea0a185b5c2905842856a323c74208651101b56a5a4dfac5

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
2052e73575bb8f85a3b80852e8891bd0

SHA1
04d9ddd7a4f73ab772deb84b26987d68d02a4c0e

SHA256
9f5a4eb9354d3ee2364c760d247da23a1fb8658549a2bd0440f03362dd202f7d

SHA512
b096ed0506317b43fcc4a8bac079146fad3899387bc7fc76efcc15e2638cdab0f0e1e3cdff9c445f6b7c07d30dc571333cbc6cbec3e2ff41b6105235a2dadc7b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
cbf16f78248d8a78a1c7396f7c98dc35

SHA1
551cfcdac10fb179eb55a0ccacc5ce5b9c157d02

SHA256
f2573a8db01cf1288ca325d904941c50146fe1cdd65502798cd6cd0a748645ee

SHA512
c14744053737419d217ab0acc0ccba8fefc0464bf649b7c9c667fccec1c4dba74a191e063773349a62010a078d7d5a6e85e16d592d45d7b2a650f78eaac009eb

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
f806fb9a909b0a75b4ec9e60c82ea33d

SHA1
c0e4354d1465e12edfd26cdc16f8528267b369a9

SHA256
e695d4975a50ff150b7ce8d390f89db0d0678b89651810a610c57ff588665d52

SHA512
b7a636aa029a33d4e66d4984843e84ef3d00ca29d031923d9a2d74e6540edaaa0e056fa26129c8a2ee0fdb3c24867a4fa6f26886d667a4111b751904e2887ba8

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
44e8d7896361818af686834b48a27c1e

SHA1
e4632e9de4b4011a72ccfcfc8d1f1b91a2776bf5

SHA256
00ec9aaa112fd38bfce763a9a2acc2a96220190c7be4f8b1258bac942dafc0b2

SHA512
093a800fd040a7a230c26ec4d579a3287cbe032b8b8799860a57599a132b27f901847c9c2fba39205916299b847d3d7d562a1eaeae79430517e5e76ff77ef78c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
44859233ec081b51addda81040b0d7ee

SHA1
4bbdec86b10630fa9bcb750e45b4845462b40ffc

SHA256
8bcfa8a45e9eeec0e8455ffb03d6fddde94bd859aaad1b324be8c35eabeeb565

SHA512
f50af865bd6401a24c726c88baaa38e8f313a01d25704ddac66b9a55aa716505a0740dc3f934ca6698a9523b471b8d74c61d9cc761ea3dfb5d796c2dd7d034a0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e0470a333f631c6d381c4dc0148ff075

SHA1
7144e6c4aabf377008462e3c73817337036562b5

SHA256
364a2f79e59cf2f30fd2274a2dd61d6adc3d9fe8241bf0ca445d0c545274bfbf

SHA512
ce91083645393ce14cfc066623e5d8c6f28b613e76d3824d3d0cfdb70e75350b16ed65801f88eab844bbf8dc5b5ca3ae593772085c7f7dc1529ba68c7ac07870

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
49bd4684d95c33ee3c689f4480e59ea8

SHA1
57cfb17f164aff1434f24bea80b5986485e50152

SHA256
2cce636c790b4be61d18125a59e35c35a3d087f3ccd84441169118d2644e8a04

SHA512
4cde047648b7cef96efa9baa628692e0399dfc1f953102fc5fbc13f5f083572645980e737ef58d5ddb51d9c632a052580480e3dbbeaab23d0b705d0893a1dd68

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e8c29dc3c51a3ac2c93d8fc2aaa07388

SHA1
fcd90dbc93821542e49e6b487df208fb0a822828

SHA256
d86437ceed7d272fa85e49ef4082c658af321b4d82efc6d79017fa7ae455ca18

SHA512
8064373ff2f26481390894150824092e627ad62da2a8bf10177acebd2bb7c4e8249ee0985b3d0687f73b88555dd5a5869aaaf5005c09860e7899711e64ef9f1d

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
260b0e3a53746be1616919a463e54706

SHA1
b9072f17d21fda3f40461b4914c6db71da4eba8a

SHA256
fb43de18f8770ea8ba236b039f9921a267775967cea473b62e288161988a1309

SHA512
3963fe59b81b64a12fe5890d0dbc1154c574995dff77133c4a4477d76bf4f6fb6556f4cded428381936ad94494f94e3374413d500b2cf115740d80080fedf434

Download Submit
memory/372-335-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/540-355-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/540-727-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1048-333-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1144-21-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1144-534-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1144-18-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1144-12-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1344-337-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1344-591-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1544-611-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1544-531-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1952-341-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2336-56-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2336-103-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2336-62-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2336-65-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2688-36-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2688-677-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2688-39-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2688-30-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3040-0-0x0000000002180000-0x00000000021E0000-memory.dmp

Filesize
384KB

Download
memory/3040-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3040-27-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/3040-9-0x0000000002180000-0x00000000021E0000-memory.dmp

Filesize
384KB

Download
memory/3052-334-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3128-44-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3128-52-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3128-50-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3232-73-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3232-67-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3232-452-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3232-74-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3360-331-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3600-339-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3768-726-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3768-354-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3836-352-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3856-353-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4012-340-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4248-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4636-332-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4636-725-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4636-78-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4636-84-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4844-336-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4888-344-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4908-88-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/4908-100-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4924-338-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5468-547-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5468-728-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5612-604-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5612-588-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5704-730-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5704-592-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download