eff39675a8cb8f1426779ff68239d246a3202c6131456116db04e9c5c33f67ab

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2024, 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
Size

5.5MB
MD5

472e5cec3ed778e9560881b1bfb8b48c
SHA1

31663e97ab01d510aca218f1d143d9434de75f1f
SHA256

eff39675a8cb8f1426779ff68239d246a3202c6131456116db04e9c5c33f67ab
SHA512

30224f395efd4d2ffe35b610713628fd3d3918722feb679b01bb233e2b23454c948543746494b86932b9ff2ccc0fbb173f5519a18e17ebbc2f4315eb6b83a1c2
SSDEEP

49152:cEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfh:qAI5pAdVJn9tbnR1VgBVmvqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2404	alg.exe
3932	DiagnosticsHub.StandardCollector.Service.exe
1252	fxssvc.exe
4124	elevation_service.exe
3880	elevation_service.exe
2744	maintenanceservice.exe
1788	msdtc.exe
2224	OSE.EXE
4508	PerceptionSimulationService.exe
2984	perfhost.exe
3596	locator.exe
1464	SensorDataService.exe
4884	snmptrap.exe
1672	spectrum.exe
5008	ssh-agent.exe
1816	TieringEngineService.exe
4360	AgentService.exe
3584	vds.exe
2056	vssvc.exe
2568	wbengine.exe
4276	WmiApSrv.exe
4144	SearchIndexer.exe
5284	chrmstp.exe
5416	chrmstp.exe
5604	chrmstp.exe
5712	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\edba448d293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{878BCDD2-1ABC-4948-8DA1-C8645DF0F833}\chrome_installer.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fc66dcd216cbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4ff36d316cbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133642437829105983"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a142bd316cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006132ecd316cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b178efd216cbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd5d17d416cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000002867ed316cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001c82dbd316cbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2524	chrome.exe
2524	chrome.exe
4540	chrome.exe
4540	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2376	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
Token: SeTakeOwnershipPrivilege	2152	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
Token: SeAuditPrivilege	1252	fxssvc.exe
Token: SeRestorePrivilege	1816	TieringEngineService.exe
Token: SeManageVolumePrivilege	1816	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4360	AgentService.exe
Token: SeBackupPrivilege	2056	vssvc.exe
Token: SeRestorePrivilege	2056	vssvc.exe
Token: SeAuditPrivilege	2056	vssvc.exe
Token: SeBackupPrivilege	2568	wbengine.exe
Token: SeRestorePrivilege	2568	wbengine.exe
Token: SeSecurityPrivilege	2568	wbengine.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: 33	4144	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4144	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4144	SearchIndexer.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe
Token: SeShutdownPrivilege	2524	chrome.exe
Token: SeCreatePagefilePrivilege	2524	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2524	chrome.exe
2524	chrome.exe
2524	chrome.exe
5604	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2152	2376	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe	81
PID 2376 wrote to memory of 2152	2376	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe	81
PID 2376 wrote to memory of 2524	2376	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe	82
PID 2376 wrote to memory of 2524	2376	2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe	82
PID 2524 wrote to memory of 2020	2524	chrome.exe	83
PID 2524 wrote to memory of 2020	2524	chrome.exe	83
PID 2524 wrote to memory of 3512	2524	chrome.exe	91
PID 2524 wrote to memory of 3512	2524	chrome.exe	91
PID 2524 wrote to memory of 3512	2524	chrome.exe	91
PID 2524 wrote to memory of 3512	2524	chrome.exe	91
PID 2524 wrote to memory of 3512	2524	chrome.exe	91
PID 2524 wrote to memory of 3512	2524	chrome.exe	91
PID 2524 wrote to memory of 3512	2524	chrome.exe	91
PID 2524 wrote to memory of 3512	2524	chrome.exe	91
PID 2524 wrote to memory of 3512	2524	chrome.exe	91
PID 2524 wrote to memory of 3512	2524	chrome.exe	91
PID 2524 wrote to memory of 3512	2524	chrome.exe	91
PID 2524 wrote to memory of 3512	2524	chrome.exe	91
PID 2524 wrote to memory of 3512	2524	chrome.exe	91
PID 2524 wrote to memory of 3512	2524	chrome.exe	91
PID 2524 wrote to memory of 3512	2524	chrome.exe	91
PID 2524 wrote to memory of 3512	2524	chrome.exe	91
PID 2524 wrote to memory of 3512	2524	chrome.exe	91
PID 2524 wrote to memory of 3512	2524	chrome.exe	91
PID 2524 wrote to memory of 3512	2524	chrome.exe	91
PID 2524 wrote to memory of 3512	2524	chrome.exe	91
PID 2524 wrote to memory of 3512	2524	chrome.exe	91
PID 2524 wrote to memory of 3512	2524	chrome.exe	91
PID 2524 wrote to memory of 3512	2524	chrome.exe	91
PID 2524 wrote to memory of 3512	2524	chrome.exe	91
PID 2524 wrote to memory of 3512	2524	chrome.exe	91
PID 2524 wrote to memory of 3512	2524	chrome.exe	91
PID 2524 wrote to memory of 3512	2524	chrome.exe	91
PID 2524 wrote to memory of 3512	2524	chrome.exe	91
PID 2524 wrote to memory of 3512	2524	chrome.exe	91
PID 2524 wrote to memory of 3512	2524	chrome.exe	91
PID 2524 wrote to memory of 3512	2524	chrome.exe	91
PID 2524 wrote to memory of 3240	2524	chrome.exe	92
PID 2524 wrote to memory of 3240	2524	chrome.exe	92
PID 2524 wrote to memory of 4532	2524	chrome.exe	93
PID 2524 wrote to memory of 4532	2524	chrome.exe	93
PID 2524 wrote to memory of 4532	2524	chrome.exe	93
PID 2524 wrote to memory of 4532	2524	chrome.exe	93
PID 2524 wrote to memory of 4532	2524	chrome.exe	93
PID 2524 wrote to memory of 4532	2524	chrome.exe	93
PID 2524 wrote to memory of 4532	2524	chrome.exe	93
PID 2524 wrote to memory of 4532	2524	chrome.exe	93
PID 2524 wrote to memory of 4532	2524	chrome.exe	93
PID 2524 wrote to memory of 4532	2524	chrome.exe	93
PID 2524 wrote to memory of 4532	2524	chrome.exe	93
PID 2524 wrote to memory of 4532	2524	chrome.exe	93
PID 2524 wrote to memory of 4532	2524	chrome.exe	93
PID 2524 wrote to memory of 4532	2524	chrome.exe	93
PID 2524 wrote to memory of 4532	2524	chrome.exe	93
PID 2524 wrote to memory of 4532	2524	chrome.exe	93
PID 2524 wrote to memory of 4532	2524	chrome.exe	93
PID 2524 wrote to memory of 4532	2524	chrome.exe	93
PID 2524 wrote to memory of 4532	2524	chrome.exe	93
PID 2524 wrote to memory of 4532	2524	chrome.exe	93
PID 2524 wrote to memory of 4532	2524	chrome.exe	93
PID 2524 wrote to memory of 4532	2524	chrome.exe	93
PID 2524 wrote to memory of 4532	2524	chrome.exe	93
PID 2524 wrote to memory of 4532	2524	chrome.exe	93
PID 2524 wrote to memory of 4532	2524	chrome.exe	93

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Local\Temp\2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-30_472e5cec3ed778e9560881b1bfb8b48c_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff12cfab58,0x7fff12cfab68,0x7fff12cfab78
    3⤵
    PID:2020
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1908,i,12093825908900273376,4123093256288728878,131072 /prefetch:2
    3⤵
    PID:3512
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1908,i,12093825908900273376,4123093256288728878,131072 /prefetch:8
    3⤵
    PID:3240
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2156 --field-trial-handle=1908,i,12093825908900273376,4123093256288728878,131072 /prefetch:8
    3⤵
    PID:4532
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3020 --field-trial-handle=1908,i,12093825908900273376,4123093256288728878,131072 /prefetch:1
    3⤵
    PID:3588
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3028 --field-trial-handle=1908,i,12093825908900273376,4123093256288728878,131072 /prefetch:1
    3⤵
    PID:1940
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4352 --field-trial-handle=1908,i,12093825908900273376,4123093256288728878,131072 /prefetch:1
    3⤵
    PID:5304
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4120 --field-trial-handle=1908,i,12093825908900273376,4123093256288728878,131072 /prefetch:8
    3⤵
    PID:5496
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4432 --field-trial-handle=1908,i,12093825908900273376,4123093256288728878,131072 /prefetch:8
    3⤵
    PID:5504
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5008 --field-trial-handle=1908,i,12093825908900273376,4123093256288728878,131072 /prefetch:8
    3⤵
    PID:4712
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 --field-trial-handle=1908,i,12093825908900273376,4123093256288728878,131072 /prefetch:8
    3⤵
    PID:5172
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5284
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5416
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5604
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5712
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4832 --field-trial-handle=1908,i,12093825908900273376,4123093256288728878,131072 /prefetch:8
    3⤵
    PID:2916
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1892 --field-trial-handle=1908,i,12093825908900273376,4123093256288728878,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4540

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2404

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3932

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1404

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4124

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3880

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2744

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1788

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2224

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4508

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2984

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3596

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1464

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4884

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1672

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2140

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3584

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4276

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4144
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5988
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:6016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4af17d3b2aff86d84e0eb00a1bef075f

SHA1
93ca58d00e7f54d3636f3f5ff014f67752b4d126

SHA256
77239c26569ac68f682d07611eeda25a01fea6ce8a9e471cbc31ba3d04fd7f79

SHA512
dc15d6e4dbab00929861b020c08fc67e3f08792fa2161ffcdc60e4601d2767d41a31fe49e7d7b6c52b247a578410313176bdea55ca3825dfe5c761ff021697c3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
21391ac692e7a8a615c11fa4357c92ab

SHA1
6cdd4b967ee3577f2edd5b3df454d85548dc9410

SHA256
6e82d0dc371cf4ae1571b2fce4d94e2d4314b6ded86ae4a7debc1cc813f53999

SHA512
17a16b9a75d99adbea2314d5a048c72680681dab7e058b9051e829560572416b3ab71115f60323384c598b61af6956635fdcb030ac9ff337098adc85e3d3039e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
825df9ff7f567b3d171360c4f913c861

SHA1
f3d3b26f4b6da78b678362b85638bf534745a68a

SHA256
a59529c0bad736045945e6b9ed7128ff6956acb45e1299cf1f7959e1ba4969aa

SHA512
c6ba6406d369ea66c16cb0df8657890636a70ac4977855806852acb53ab25021cd1278a094355a975498a959c1685450fde706a6ae56f178b58a44a57ffcd6a2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
f92e098b0e09a06b03bfa457a5faa0b8

SHA1
4c647f995b3131bf9642f114892b38f3273d2e75

SHA256
dbc6a1d281e5efe5072261cd54573b6dc1cb7aeabbe8e189db6ef608a27f6766

SHA512
384e7dc4da9a78e1e1fc74b72d3038310af7cab9f14434d1df3f63e700e1cadeff8f6db43b740c41525dcd6102e38f4527612510d09913e02bf6853011288b60

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
4c5ca11226bd8021282a18bbf849f9c1

SHA1
22a5d9f50681a94edf3dd76eaed0734bc82522de

SHA256
ac34b94349ec2eeec4082ca990dd418de96350e261ca8803e29cbcdbc7633644

SHA512
b0d4107e7c81b745d55185b0538a7cc9795ca710d97936d4f1aff92a48386474b8bb30099355ff71d3a8061b651ee348bc0f215bd1ff2b0db49ba58e717b507d

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\9a938cba-e174-4439-b4d8-c27c1b3e4f30.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
23e6ef5a90e33c22bae14f76f2684f3a

SHA1
77c72b67f257c2dde499789fd62a0dc0503f3f21

SHA256
62d7beeb501a1dcd8ce49a2f96b3346f4a7823c6f5c47dac0e6dc6e486801790

SHA512
23be0240146ba8d857fc8d37d77eb722066065877d1f698f0d3e185fcdae3daf9e1b2580a1db839c1356a45b599996d5acc83fda2af36840d3a8748684df5122

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f144f5037ef53f7ade97e44ce00d9606

SHA1
256b28b8ff725204eef5e5e525b2fe4a0fa8cc63

SHA256
a881c8376dbd5bbf2e835982220722467c1cfc41bcc31f0ad3bc0b639848c497

SHA512
02abc8fddc6023aeb154efb56945466c7d3d3fac211f45e5fbbbf4f9c9e8ca88e0d43799d184ce338a849cd9b7f97de922f6b17baa88d8fb8f7796d284233ea9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
4fce666d1306f4b71a9501045135c492

SHA1
dbb727fc07e4c994b68cae6d3575d958d39e0c08

SHA256
2bf88102626f442f6f2c7efe4575e4322fe04b84fae5fea8ac00a516566ddce8

SHA512
2ef064b58015267b8185c773780dc93675285ee411d4b4d87e9cc121b9f5c52af025636013d1e666d23d7f02f3c3a7e01a38f58ee8286ee1e08460f5445c1a57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
4074c63621c98aa5a3627a2f226e1b3a

SHA1
e779960b2dfa34effbf19eddf5bcad50d7f61712

SHA256
4fe33b32ae53e5f710067390d212454453213b31305cb0f720e65dda663ec809

SHA512
562123a480d002f3f99c34e18cd137c4b3c2d3e041b6ead486735f20ffbdae4a7fa889e4c146a517d07887c155d3b0ce54aef0ba78d48893d648c94e1063e2fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe576fd1.TMP

Filesize
2KB

MD5
8441fa327ce1f6c12f371a1535e655be

SHA1
7ccca62179f1eb9a2d47c3886ad8ad4bf5b15071

SHA256
975c8308bab1dce91143c9ad18effdd216bc367fccb3195ec2d4fd50177d2158

SHA512
986088d4595dc5a9e166ecc0b439a878a24d512f236b2756e377050c0cc7423143d3aaa3033ba5163b28fe8551313ff985d6df2ab109117186e878ca4a98d0a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
92390b649eb0e231ed88b81a811331b6

SHA1
98dee974d00e61e39caf2acd3efa166ec85d12d5

SHA256
3178f4572b60045b2345947413c2550b2ebeef93c5df76be3dd1cf2f6f5785c6

SHA512
0468a38437d174ee3235f7d6b30e99038df1162b66f7a7b47da257146f6b4639eb98098a60fced53f798318034abdac931725ddad8daea7ea4002fdc344e838d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
272KB

MD5
f01d5cf739fcc6a20947a649f0b81ef9

SHA1
48c273172202835dd01f4e7c8712e3434c3a1622

SHA256
0d4e346fd7743848eb7a8e045b5d2fc0d7da603bc32d5b16437779b82d5efeab

SHA512
9b0aebda8e047be3551ce5d8a7360e313ee20893e228425c1f922a8d2fe862e0cf395e3958060e7814df319c5a6f7d6638cfd516f4c350a2dc92934b0195eaf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
1add2e8247f505929543eb3bf4e2bac7

SHA1
19b100dd9a2dcc08593588039d756b31ff69b4f6

SHA256
7059402669044290f1fcf1078038c2ec5ebdda9db5ea8a260d49fad7ea6e9091

SHA512
45bc53f7e3cd2cde832153b22c51cef35a93bab70f44ff0604837c9f6e8d092ba67f9fd14f85b1ead671b60fd2378c87b1ce7655a800722607e0d2abebb99d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
3c8eb6fb9d3d77589a9a5bf6374916fe

SHA1
40559c2eea5331f9c79f33fdd2e62f5c0615472d

SHA256
1d80713318b19f0be97fa2b8749c8d7a56866c6d78557975c8c47fb10334c33e

SHA512
8542faffcf149026f390cf706e72248b903314e7b201ae2036237da2e69186ef8bdb5f6c83d291e13eda8c71a28ed2b9df849ccf5d956280347008ea384f1698

Download Submit
C:\Users\Admin\AppData\Roaming\edba448d293b476c.bin

Filesize
12KB

MD5
e868d297c9fa75e22862e4b1dd7628f0

SHA1
9352353820005326b30b75b9712aaf821bd06da3

SHA256
5df4df7d2b60ca758d060f57b7c893edfbf5592cbad73f18579fa3dfb7442f92

SHA512
b5aa721076214731789b8adceef12ad5e8d789ed71bf7efde817aa0bdb01d0dc9d32c2834c7b5b0957ad8e1105785589d059c21574ebbd85a9f92e021ae310fd

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
6d8918bc0626b7f0f3216e0ae60fd02a

SHA1
47184129d25c39157a2e44fb6cc6258a7f0c429a

SHA256
a96386fb1434da41a23198769ac8054234a2a9d16d89baadb1187ad5dcadbfe0

SHA512
49bb204317f25778c9b1be6a46f0c2f5ffd780820eac68aef557c2d272359853c6c69842368940bfc184df0599613d087c501a60c4f60810d7a667d393591d72

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
f8bf29ee3a5d66dd3f0d3c0abbd7ae5d

SHA1
1129756701f854347dc0c93f940267dbce7bf55f

SHA256
4ae9e6b6b9f86cc84fc675f822afde1ac5259993c828a9fe341314e0ff8d8f52

SHA512
86d44c55cae18a1a6d3ddab78cf933b1a8da354f53e1c0aa49227e8f24137325d0da30d53e6e2e26bfa1fc7538670db03ab51bb0a5c6f07bb19af0a8fe0b1665

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
cf2da57c6f7d3567d2f85dd46cdf81ac

SHA1
e83e7afb4fa9db076c6aa800f159a5f4bee0cbe3

SHA256
1843274306f3ed2d5084caf7fc100ab2eb60a9d7231d50777f09edae98aa6fe6

SHA512
8015ea509aeca4f889bb59f7da0159c21435cb687b1a4dc1101be4962cc5da8c9c1f5084206211211f33d5338261e9d0ae9a52c3dd2d06e7251fc5648bbc2ec0

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a1377503dacd36d2c7d30df101b3be53

SHA1
dceaaac38dc4ccaa95e1a9086bff1ac277acf9d9

SHA256
b2a47e8d2671a58ba2e2863a9a872732a56e8eb4dd645b4467955b94e2b98bf6

SHA512
2c75aa78d83b866c5463d7c93825247fc24c195f9c6eeda909935e8c4613b4a264d311a3912565bc3a42cec38aa55d532711ef84c21b3237e0bccf548356d99d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
3d8dccfe17ba1617b19772cc19aaac25

SHA1
03fb33d4b6221228a2f8c668eca811ceecc16ee4

SHA256
4bd4efa54b81c2d9d731f0d0d4502515c3364154ac6e446ebb0d1772cc1daed8

SHA512
820dcf38e179ce0c5bdbeed42e2ee4b56d8c9c15cbab7847cbfbd2a28be813c53a70930c64c50a38a7e1c6e8fca1af4d5067fc5ae362d65f1b3d54dbc8c86ad6

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
71a6b462f3e2a83ce329406d064c691c

SHA1
4901e69225a6d809072d09c09c4dde872e8005a8

SHA256
5b127c1d4f4464d9b72ddc1d0394688bee1a29203bb0a356965a6d540157b3f9

SHA512
85ae4df6898b01818db1b9145ccea167ee8fd04178e8ce58a3209eb190e628181c46240b6cb63e728c73f57b823429fd51279a66e25ba75aa3a80627607ea587

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
039baad654f94d0134926e1f1e1ad907

SHA1
8db6353facc770f916c8b888ad5420e2c1d118b8

SHA256
bccaa5a0eef54bb7e8f30e70ab19dcbc40a3183cc206e64d862ff9fa1b7b0190

SHA512
8d5ebe14a121579f47540e95bfcae0030267a224713a7b1428918e5d25c12f3c47df32c93764b048f8fb798d7bc99e63909c69b7cac227271f6e6d7bb5a99b9d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e4c8e9e694250a32038204cfb004d602

SHA1
c944fb13b36393f2514ed39228a3068e5dbc8bd2

SHA256
95819ef3f384ac59bda18bffdb762d6bbd4336a87c61064738a7b073248fcae8

SHA512
b144a7747aede43ecc8a22d909d3b3d6ff46191c900420c9f3900c4ee0f939a6ee0c412d57925b3c5be8ce073e112100c2290f0505e11cca572b551f2053d4bf

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c07f23ce05a384958c3c954341ccd3b2

SHA1
5184b53bbc78447da6a296d7d3fc4db99fdb3a21

SHA256
a72bf6f8d4d64af5ff3522763b76b7900616b5d3e690fa2b08faebf84031e9e2

SHA512
88028f85f56f167734b065c88299896b5d0435376b1620c12a9117ed06f46ed3c744bd9dd509561e8fd3a06e2851b9888491bd9e88cc5df457249a3aaea4b58d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
7ebe237175271f1db49ac6ba981cb32e

SHA1
cd93d9c1315365d376a7233242ac6c0f24399c10

SHA256
7f79eb1cbb582f914a83553441f82235ded7f523fe28eb640f982bac3f06741f

SHA512
b1ff66282f41bd142f813ca6cb4aa9de0bb231e15f53c6bc2426a98989f5eec586c1839619caa5f6a64413fcd204198088010f1e3db6827bf26f458e12c0b4c5

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
41be7bfa26358578dd68533cabd34648

SHA1
329c68c1390ad52545f53954549d5632bd8b1602

SHA256
89c2b0a888669c14d07fbbf016da7b486f44660c8751de7813a61840a779f528

SHA512
96c9ce711eec41ac142294b0f5062cb2c35faa3b6858cb632c1b52455dcd84542999e181c84da5cb9e2bb2bc76fac1ddf52de962a76dc79516f5146e4f91119d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f8f8187c36207330b2a28fd3177a05f2

SHA1
f5d82ff3a70303022e0c45e0efc60f3f78670015

SHA256
ca8c1e197e28ac1cd7657c524224a9939f844058bbee6e997e19c6b183784cf7

SHA512
fe6d85b3ebbf2d896201a98e70b8ece225a95b5bcd0d0704cd00132feeb79ee38b1e9b1cbe3574792c6bff30028b59eb1c48dff29511faeaf4b66ed776cc945e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
b86e9d28b8f9e890f229ed9b9bbe2a91

SHA1
42a95aa03b988859208c86a51e082b8fa6716a4e

SHA256
1a3db06f17bc855c0c620cfe2202fd90d94ce81c0f2df5e1cc0c75a321283cd3

SHA512
441f87c5a2b1621b0b940f2be8673a3560f0fad60457e3a569c7c6ec4817c401531fd21f68d5b907255e7798789816deea5a7acc37fb464987acb38205b8ee33

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
17cdc05248b18493ce845b5447778e92

SHA1
6e09bc0a92c3e5f87fae4c082f450dcc230b62c2

SHA256
ccfccb70caadc847d9a4495b6b3d217fcf19c81eeea4282baf155bf1a8ae0ab7

SHA512
302b7f5c902e19a82f38e28b653dd788e2d01e3a4d5154233376a0c394135f3b643fee89575f81c1a62f8859c361207788479ada78bf5f9022d3ccce2137f146

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
27223f17198782cd365b13ca72cb5388

SHA1
cfce34446258317e055662deada6cd731120d23c

SHA256
c43e438f7af00c4d69d74f027e1115b0671b8905c9780656d10f14093528d7be

SHA512
0e51ac463d96827020863d1c41284a22cba82286c4e0addb8477c0deb6d9a68a0a8763699d21abb379c7f869ebffc634d61c2a14af6f270edee1cba3a975b4b4

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5b5864f08a434ff30be8a16bf88bd3c3

SHA1
373db3d79eee9c6182f695baa51889cdd717b540

SHA256
7346c51db8db4e6184d8db28d342c6332d6385dace13bfb42a972d15fcc11be1

SHA512
4a0525df9a7d1e63ce0d0cfb611cd396d31f813a76ab98966511bfb068ba8cdc1def91537d05869e21ea626af9c6ae1bd3366aae37943f17854a2a94730cf4ca

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
1ceeb019436e21a502ec6b0b664a271e

SHA1
8a924d1cd5dde06129123751eadf7c82289e2e10

SHA256
2e38bd2ec60c77cd21fa3dd8eed418e0cb615dfc1fdbb3b4443b6272ab829721

SHA512
63cb99077d2c6ef72313010baa970c519e92abe2364d1963f9e5225d2f174e3615ddc5c95fb24541c6d9b49d172a77ce3bb590d9a2076ca855a2cac745289673

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
0ed15f55364e47467aa21d1ad7369115

SHA1
567ef91e38c04213cb5a622850091f0fd28fd131

SHA256
1c86ca9e765a00439934c48279c01437beb27af13652ca39b0db96265417b759

SHA512
b21fd39408894368c4466af93dfc18d118996d6f9a632b6cb4f69a94c261335034fd641c5e7c51a5bb1dbf38aa528d13726db2b80a8cec8ee0cfa3187d5c4e8a

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
440112092893b01f78caecd30d754c2c

SHA1
f91512acaa9b371b541b1d6cd789dff5f6501dd3

SHA256
fdf37f8111f0fabb5be766202a1a0b5a294818c4c448af0fec9003242123e3e6

SHA512
194c7b90414a57eb8f5ba0fc504e585ab26b2830ed0aae29cf126d5a6c4888d508c22984aeedec651c8644fb1f874fa558b2090488516b33165fe7985d2815ea

Download Submit
memory/1252-60-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/1252-90-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/1252-92-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1252-54-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/1252-64-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1464-317-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1464-670-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1672-320-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1788-133-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/1816-370-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2056-375-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2152-12-0x0000000002000000-0x0000000002060000-memory.dmp

Filesize
384KB

Download
memory/2152-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2152-551-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2152-18-0x0000000002000000-0x0000000002060000-memory.dmp

Filesize
384KB

Download
memory/2224-143-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2224-737-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2376-0-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2376-36-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2376-22-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2376-9-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2376-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2404-34-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2404-28-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2404-556-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2404-37-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2568-376-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2744-107-0x0000000002A60000-0x0000000002AC0000-memory.dmp

Filesize
384KB

Download
memory/2744-89-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2744-120-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2984-315-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3584-373-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3596-316-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3880-719-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3880-77-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3880-88-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3880-83-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3932-44-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3932-50-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3932-63-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4124-74-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4124-72-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4124-147-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4144-378-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4144-739-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4276-377-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4276-738-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4360-250-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4508-314-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4884-319-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/5008-362-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/5284-541-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5284-602-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5416-552-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5416-741-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5604-590-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5604-567-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5712-577-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5712-742-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download