241832d27ae691477ca00fd914a7bf8815fe2b81a5f68a48550fb2b201474cf8

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
Size

4.6MB
MD5

0ae12163dc4604866c459309ae6e87df
SHA1

eaeb0542c7509f6604fa67903e82113bd96a8f89
SHA256

241832d27ae691477ca00fd914a7bf8815fe2b81a5f68a48550fb2b201474cf8
SHA512

4828deb5be0cc0618d50613a9b70300aef1b6a0b2e154ed9fd4bae1c6a4a293303ca6c4bc5a44ad76ca067064e5518e58463bf3471443d988e52d5bd2122a194
SSDEEP

49152:vndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGI:H2D8siFIIm3Gob5iE/pAhQ1CNvi

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
3676	alg.exe
4980	DiagnosticsHub.StandardCollector.Service.exe
4384	elevation_service.exe
3920	fxssvc.exe
4144	elevation_service.exe
3868	maintenanceservice.exe
1532	msdtc.exe
2280	OSE.EXE
1120	PerceptionSimulationService.exe
4804	perfhost.exe
1528	locator.exe
2724	SensorDataService.exe
3032	snmptrap.exe
372	spectrum.exe
884	ssh-agent.exe
4420	TieringEngineService.exe
8	AgentService.exe
4872	vds.exe
3144	vssvc.exe
4016	wbengine.exe
5252	WmiApSrv.exe
5372	SearchIndexer.exe
5400	chrmstp.exe
5960	chrmstp.exe
3456	chrmstp.exe
5856	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\355cf6e1c3a5208d.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\java.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaws.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003facf63daccbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133643079547305663"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000052fdc63daccbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000023fce53daccbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a16883daccbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002f12bb3daccbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4564	chrome.exe
4564	chrome.exe
5952	chrome.exe
5952	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4348	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
Token: SeTakeOwnershipPrivilege	4036	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
Token: SeAuditPrivilege	3920	fxssvc.exe
Token: SeRestorePrivilege	4420	TieringEngineService.exe
Token: SeManageVolumePrivilege	4420	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	8	AgentService.exe
Token: SeBackupPrivilege	3144	vssvc.exe
Token: SeRestorePrivilege	3144	vssvc.exe
Token: SeAuditPrivilege	3144	vssvc.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeBackupPrivilege	4016	wbengine.exe
Token: SeRestorePrivilege	4016	wbengine.exe
Token: SeSecurityPrivilege	4016	wbengine.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: 33	5372	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
3456	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4348 wrote to memory of 4036	4348	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe	88
PID 4348 wrote to memory of 4036	4348	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe	88
PID 4348 wrote to memory of 4564	4348	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe	91
PID 4348 wrote to memory of 4564	4348	2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe	91
PID 4564 wrote to memory of 1820	4564	chrome.exe	93
PID 4564 wrote to memory of 1820	4564	chrome.exe	93
PID 4564 wrote to memory of 4580	4564	chrome.exe	112
PID 4564 wrote to memory of 4580	4564	chrome.exe	112
PID 4564 wrote to memory of 4580	4564	chrome.exe	112
PID 4564 wrote to memory of 4580	4564	chrome.exe	112
PID 4564 wrote to memory of 4580	4564	chrome.exe	112
PID 4564 wrote to memory of 4580	4564	chrome.exe	112
PID 4564 wrote to memory of 4580	4564	chrome.exe	112
PID 4564 wrote to memory of 4580	4564	chrome.exe	112
PID 4564 wrote to memory of 4580	4564	chrome.exe	112
PID 4564 wrote to memory of 4580	4564	chrome.exe	112
PID 4564 wrote to memory of 4580	4564	chrome.exe	112
PID 4564 wrote to memory of 4580	4564	chrome.exe	112
PID 4564 wrote to memory of 4580	4564	chrome.exe	112
PID 4564 wrote to memory of 4580	4564	chrome.exe	112
PID 4564 wrote to memory of 4580	4564	chrome.exe	112
PID 4564 wrote to memory of 4580	4564	chrome.exe	112
PID 4564 wrote to memory of 4580	4564	chrome.exe	112
PID 4564 wrote to memory of 4580	4564	chrome.exe	112
PID 4564 wrote to memory of 4580	4564	chrome.exe	112
PID 4564 wrote to memory of 4580	4564	chrome.exe	112
PID 4564 wrote to memory of 4580	4564	chrome.exe	112
PID 4564 wrote to memory of 4580	4564	chrome.exe	112
PID 4564 wrote to memory of 4580	4564	chrome.exe	112
PID 4564 wrote to memory of 4580	4564	chrome.exe	112
PID 4564 wrote to memory of 4580	4564	chrome.exe	112
PID 4564 wrote to memory of 4580	4564	chrome.exe	112
PID 4564 wrote to memory of 4580	4564	chrome.exe	112
PID 4564 wrote to memory of 4580	4564	chrome.exe	112
PID 4564 wrote to memory of 4580	4564	chrome.exe	112
PID 4564 wrote to memory of 4580	4564	chrome.exe	112
PID 4564 wrote to memory of 4580	4564	chrome.exe	112
PID 4564 wrote to memory of 3748	4564	chrome.exe	113
PID 4564 wrote to memory of 3748	4564	chrome.exe	113
PID 4564 wrote to memory of 2000	4564	chrome.exe	114
PID 4564 wrote to memory of 2000	4564	chrome.exe	114
PID 4564 wrote to memory of 2000	4564	chrome.exe	114
PID 4564 wrote to memory of 2000	4564	chrome.exe	114
PID 4564 wrote to memory of 2000	4564	chrome.exe	114
PID 4564 wrote to memory of 2000	4564	chrome.exe	114
PID 4564 wrote to memory of 2000	4564	chrome.exe	114
PID 4564 wrote to memory of 2000	4564	chrome.exe	114
PID 4564 wrote to memory of 2000	4564	chrome.exe	114
PID 4564 wrote to memory of 2000	4564	chrome.exe	114
PID 4564 wrote to memory of 2000	4564	chrome.exe	114
PID 4564 wrote to memory of 2000	4564	chrome.exe	114
PID 4564 wrote to memory of 2000	4564	chrome.exe	114
PID 4564 wrote to memory of 2000	4564	chrome.exe	114
PID 4564 wrote to memory of 2000	4564	chrome.exe	114
PID 4564 wrote to memory of 2000	4564	chrome.exe	114
PID 4564 wrote to memory of 2000	4564	chrome.exe	114
PID 4564 wrote to memory of 2000	4564	chrome.exe	114
PID 4564 wrote to memory of 2000	4564	chrome.exe	114
PID 4564 wrote to memory of 2000	4564	chrome.exe	114
PID 4564 wrote to memory of 2000	4564	chrome.exe	114
PID 4564 wrote to memory of 2000	4564	chrome.exe	114
PID 4564 wrote to memory of 2000	4564	chrome.exe	114
PID 4564 wrote to memory of 2000	4564	chrome.exe	114
PID 4564 wrote to memory of 2000	4564	chrome.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4348
- C:\Users\Admin\AppData\Local\Temp\2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-07-01_0ae12163dc4604866c459309ae6e87df_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0x80,0x108,0x7fff269cab58,0x7fff269cab68,0x7fff269cab78
    3⤵
    PID:1820
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1964,i,2806701212100182240,1653079236558392998,131072 /prefetch:2
    3⤵
    PID:4580
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=1964,i,2806701212100182240,1653079236558392998,131072 /prefetch:8
    3⤵
    PID:3748
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2116 --field-trial-handle=1964,i,2806701212100182240,1653079236558392998,131072 /prefetch:8
    3⤵
    PID:2000
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3024 --field-trial-handle=1964,i,2806701212100182240,1653079236558392998,131072 /prefetch:1
    3⤵
    PID:3052
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=1964,i,2806701212100182240,1653079236558392998,131072 /prefetch:1
    3⤵
    PID:2852
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3964 --field-trial-handle=1964,i,2806701212100182240,1653079236558392998,131072 /prefetch:1
    3⤵
    PID:5364
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4116 --field-trial-handle=1964,i,2806701212100182240,1653079236558392998,131072 /prefetch:8
    3⤵
    PID:5572
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4428 --field-trial-handle=1964,i,2806701212100182240,1653079236558392998,131072 /prefetch:8
    3⤵
    PID:5580
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4772 --field-trial-handle=1964,i,2806701212100182240,1653079236558392998,131072 /prefetch:8
    3⤵
    PID:6072
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 --field-trial-handle=1964,i,2806701212100182240,1653079236558392998,131072 /prefetch:8
    3⤵
    PID:5832
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5400
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5960
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:3456
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5856
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 --field-trial-handle=1964,i,2806701212100182240,1653079236558392998,131072 /prefetch:8
    3⤵
    PID:6060
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2776 --field-trial-handle=1964,i,2806701212100182240,1653079236558392998,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5952

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3676

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2600

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4384

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3920

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4144

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3868

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1532

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2280

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1120

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4804

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1528

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2724

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3032

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:372

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:884

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2028

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4872

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3144

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5252

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5372
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4672
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3768,i,14486271492189381216,15799931579469722648,262144 --variations-seed-version --mojo-platform-channel-handle=4552 /prefetch:8
1⤵
PID:5780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
402dd6b74f5c244c2d49de9e68cb5628

SHA1
fec1c84f82d6e87e59f269482ded7cf0c47b6029

SHA256
7f852747a8efc4e89a3b907b767d55a7f77e23e625b222ef997763fe4969a27a

SHA512
e63ce98da9c26e32fae33dc547cd5b882d17daf3d6f638d4d8825b910349d9a2a9489611c594084fcdb8af073dc626ba35e7deb244cf0431e29e06c6c6930063

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
1bc756a54e964f0aa308bc812fba81a9

SHA1
c59885483c273131b612aa0e297bc69ec33fb644

SHA256
ac4700fcdb54dcd7427734db4d8ad42b4f01b37c0b4c112fcddda5d43a017591

SHA512
4c9b3d78f0956b2ef974eef95ef890499970dad30e5fb0dd808304a405eb075401f06d9c370f78889db8477c3a5c1770aa4e470fc3d308002217763fcc60fcf7

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
5009bca5b05a2a7e9e31ebf327f65dd7

SHA1
e54dda36ebc6e595b1ca711f426e0d47973ca65c

SHA256
3fecf6b7df83d22c2a23c47ba332bef19fad455dc1ef5b31d2e2f44f2d068c9d

SHA512
4b89f3c93a9f2bc206508db52a56a5f0b757e203ea763502b46b7f562a5c2b820e731a97b4a98ced7411977afac69273ebceda436025a115d8f1d6c19ecce7d6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
6c2b6be9b10cdf48fe3de2cb33ec6f56

SHA1
3883d727693de8c855c76a888c12d00dd78fce70

SHA256
810a1a089344a78e663985331dfe3dd8f45cbd7450d4bf0eabf64024657f84f9

SHA512
c3be5198627c73a3079311b72de448ffb83eac3a7caa63233af20e89587dbf49bb0bbc3f346201fcbb7b9cf529d6131c6f36f94bdb0a2675a4470de1c27c7ab6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
390c63bdf274432b113f4e32da95e50e

SHA1
298d6f748d868e0f7561b1b415f6e7b988a3b6f0

SHA256
1e17bec82a23ea6b0268b817cd361b27a3809f4457aa565526ee011841693217

SHA512
5efec8397154439c2de46920fb34ac5abe5747d4f0a33e1a732b4e8b03e6d0331ba63b0714bc6356e16e51f9d19f4af75752e106b653f5012c653c546455b32b

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\76cc75c0-736f-4bd6-b996-0f7f0fe27163.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
e646991f9b7863013f4543e5deea2d49

SHA1
7d3ab1c249b15c5bc5761baef819fa96b043539a

SHA256
0cc277125b5bd55a7c42e32f351b5bce3ca6003f28bc0646db5bc6b9b5135c07

SHA512
8b7b264f086ee2d1c1ec1199307d6511ce964890e84312a1c12c21a0a1fac24d6bf005a2ded820ecae3b51b58229a8ce724e98e40b03e1f93d3914948025a76f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c796cdcc82478071e864aa5f1bfe2419

SHA1
9435fe0b519151d11ca18fe1b6a3aca6b5675fa9

SHA256
48cba20c2ee4df239f5c947f1d853d7f3e6611036f30e9c9390ec7d05500554e

SHA512
085d28fc27bbfd738dfd4955373c3135528b3a9cda71d51f7c9ab8c44094b2df64e26bc0e4f6dbd4a38d114921f89c93003c3c2d869d00eedf1e4f68389e5935

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
bf91efa5d1815fa4b74bed8b94e9ca88

SHA1
a747117b1af32518db7aa75ed969f5160ff22cd9

SHA256
36656e206669731ca319783299b9fd3be0e4e38bf680b8954f0d2d957e1d86e1

SHA512
dedfc1a91ceb3a598e9fddcae78c9f6395150dc52eb711a0c1f6fdf21ebe53675e03bc367f1a780f48e730ac9bf91ded45b9c64b71efa8faa4b80a58a3a5f721

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c5107855307d7a67aec6a0f92a994277

SHA1
333d73e5244e8e5a519d773c9fb358d5fcfe9125

SHA256
7d83cab8aee98b53d0fcb0eda25c90963990564b323b68d814e492ea9e9dd730

SHA512
ab6e9367deeec4bfcf59b6410649a79897dc651c22d768e6a4fa13497a8b544f0862b0c69a5033d093bf3d6853d9b11bc692258d21b4390570be0752bdfdd19a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe582556.TMP

Filesize
2KB

MD5
c4d12c24a85b7e1aaf85cad983fe7610

SHA1
00bcb6e962cbc5a3d88689ec2f8c15feda6ff7fb

SHA256
6568b506f3cb4367abf414e66e1e93a4d4e40339dd3a2a1d5ded1f1907484337

SHA512
0d45cd5f36424147b7a67d4f154539d9ddde285cb363a139c5922814e6073cf731d61902a7eb84e9ac6547bcd52e65b023a2f97636072db478ccd04495a59aa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
a2489c895d940ab63ce7553d973cb4bf

SHA1
bafb38b7dad3b3589b7abcb7152e2249923eb009

SHA256
b1d3755bd337b49a1c7d56f3c588d8f2a255fd3df375ad653ec24dcc0c2e1b44

SHA512
33f7402322df5c9b6f73ce476deacc20749a6ca9b3b187d1dbe0b99a1c27ca1a6a5d11ac8931400d6cf55d0cb2aab4c1bde5e466beef0cc1b9e7f0d9f3939d52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
269KB

MD5
8fe1d354587c79a2a3e33f966780193d

SHA1
0a9d4c00d1fb5d5a7694999835a2d539b963c2d5

SHA256
3989ad678843efcfd94318ef01a9e9ecd616570c4258b45ccfd66d430cd9b447

SHA512
9b3362ebf487737b78e661c778b25667d10f1741566b41c1eccd738889f2c07fa47b233ca897e35942e080698956a7ed9b3f80c418ac035a9839ea8a6f4724a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
821255c7df385b7c21b881dd820ded23

SHA1
4d32ab6e96ce22ea41bd8bad173dab237c066d6b

SHA256
73f60fdc443b67c63a5e1c7bc7d561d67cdb35d93b133ebe290d90be1fab5f14

SHA512
c0d5435987c36a4cf984358bd6ef1d10439d51e1da89819464bce6ff8e046526ee68f6ebc5d7f703fd210aa5dbc70f1cb3e1cb15221f2b6ca1cb351a4356fb2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
5b6877b8ecf1c567cbed067362d7f419

SHA1
13e507f1e98b50b3e2f491fb01d03b5838512e3e

SHA256
93f55d64bcf018d77d267409d2707a4e7d6d902f129347f04ca796f207ee977b

SHA512
0c7897ca980d5794b5fe220822fb338092f9b8af67de00e826995b3deac84717bf9e62126e8b5e4dc49dee431fe70540a7c3a2e8def52f655a81d474b93530e8

Download Submit
C:\Users\Admin\AppData\Roaming\355cf6e1c3a5208d.bin

Filesize
12KB

MD5
40bcc9591c7fe965d27825c57ee5b082

SHA1
3a9bcd12fd0efeef273fa90a18052a1cfc30722d

SHA256
6b7b449ed5c760a64f4c225b88aa536c1e96a8e186faf5655a4ebdddaad068cc

SHA512
27d890a6565898a569f698219396da5cebd4fbb87e9c18b95ff9bbb1e83df9acd47fedb3b601ba00cd31e1d3968c542178bfaebadb51e7374f37bc8f30f928f6

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
5a3d234fe877acba99f30466ccce9f58

SHA1
e35c8ff6021eafe03321e8f59ba987f341dbcced

SHA256
5d5c0bbcbd339028f02b80a4ef1740a15d1fff70d780582d3fa9ad563e53aa4f

SHA512
ef5551755bda0ce661b653ad6da782b721ce397746c83b9152c59ef896f9b8d759fa4971186dea9ef88be72115f2e4488f0b53748f14d93bfda2fac624203aeb

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4635bbdad22860c1f73e13e883da4786

SHA1
83eba784f5479894b8eb71e9be4e06e60ac33009

SHA256
cc86994c07f1632f17c474d0a4362708a8da31d9b0d5943f81ebded6875f2fa2

SHA512
13db002823e0a2e1530dedf19f211c41eb21c3e03b74adbaca6deacbfb759f6188a89d17f8a5bb051215806449215341d64b435dd1b13c84714a87ed5e9106e0

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
3b0c0fcc4a92ba6db8a944e776d26224

SHA1
20b8f38d9944eb1933c8d9e79e23eba56a1b8aa3

SHA256
6fffdfa44c56bf271e3954bef373509e514110294d0f4fe6f68aa5836b0f2106

SHA512
03137ecd11a8965f2ee56519c0d630a148460352ef01efca0183850252eaae066558e7259792a304602c81f9391ffc5fdb020df0bd8490fe9ddc4ff0ee6606a3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
4958f4f3c2c2ac72ceebb61e95211068

SHA1
581a1505b18cffcd97e9df9bde2f2785e41e7e09

SHA256
8e75cbb2a55afdc5afb439d56f0355182b6be1318e3ed94fc4a7b27356d760af

SHA512
313d7582633f845a37567ee34e2d16a95a815e4ce509f8f7563e297a94f17da9d1ab0cb64841826307feadff199477c87ce3f85041b358080347e71b92cd1df2

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
b73cb9f7d3e82f356fe52deeaedccf21

SHA1
330e8c0727aeed94bdc2ad4d8e3e0baf27d16e1f

SHA256
1b3051ff4f54fbdb89e4c787b09dfed10b60f58537bee3296a9a9a2761055ffe

SHA512
e55273483937a47f3a9f1251e927b5d4b03db51d94a4a8eefb79ec2b30bb41a2b0bf97e7c57027676cacfa55dfc576354f1ee30aee26784647dd5879259130d5

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
630720e32401c9e5ecd7a609bcc7fc27

SHA1
e0421a779dade611c429fbe68bd9be6d1d12dd84

SHA256
4699001e1b5581336842c1eb3437c1739559cdabf522835e483c5fe81a75053e

SHA512
e85657162b9f9b316756b353b6a6379257b9c938d05cc5cd65e7558cba1a00692c78ff37a0db0c9089fdf331774523a57f9fa82f1b08ca21594d4f924acc7dd2

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7bd00556dab47f9937d899704371382c

SHA1
868738107f55c72abf5cdec20499ddf7447f6320

SHA256
b4f4e5f8229bca6bccd8b8a95f3605ec9f490543822f45a1edc389f50f2c01ba

SHA512
6bff1e156a24001aad883591271abc9f28ad391fcddf783337faa3e24d5eb1603e77e442c6b89af75894bb5883e7c324151cb91c7481c148f51e2204a2e56808

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f3ded9da23efe825eecc1f36bbc587c3

SHA1
99832557df5b2145433de1fca672a6b5b33c434c

SHA256
62a3f47349ed81bf32dc0c0be686036b4688a634cc0395d1283730dcaff069f7

SHA512
cc749c09fe23cb305b8699215e091dbf2d56abb154c33b30b7684c5d80c11164461d5f09e8f3cefc551059b6979685fca5ea57582b6d59fe5c18c108cd585c79

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
0f0ce54f9c0beb77fadc0ba8f3c1631c

SHA1
294db6c75fc9ba95e40bc1c6c2e621a23fea8ee9

SHA256
b16b7c2157c4c38d9c2a9f1fab737199615948198a0a8b98ee73e782efe39f81

SHA512
ed256a0e7c3bd0d03b8615ebdd9f0001c97dffdb1c286df32d275b5f5aeca6aa5f75c9ac91d6fac1460447d760cc2bb640cb289d54e57c2d10e6af40ee1ad4ba

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
ad23a645359ad4f9311c207032bc55d9

SHA1
7b087ca3a7bba8d2bc789fc52ce5e7cb56b85cb6

SHA256
ebd7f318c6c2b269369024f4584047d7034d08b83f9c2095d3ef59341fc8abf6

SHA512
1870f3ac9d47df2a874a205287f0290e85c0c353788b8ebb3aa913767c0bcfaff9bac462aec22f0bc00d2ec0b8f670b8c6823ae91d2ccfb813d68822d23e6203

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
84f698b6d9f08df252cad5c0b2721943

SHA1
072de3e7956f4d6785c149d5647f2ba759e70d7d

SHA256
75ec321f41cfa7a5e3d51824a8a64bb7392fe66b62cada0df2dd16b69c9c91e0

SHA512
24a51a004f644f5add57fd6abc2a275c7b9b6c6872626a249739dd6401c9ee711d68f1426cc1c15dc23829f0d66a24cddc284381a4e3bb37d64aec1158391e2e

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
7a6c6721ce60e80167497d1e31d4f7c6

SHA1
dcdba93598c14af801b16c0a9da0e3db389acea6

SHA256
b191e187486c2da5b661b5606e044d3c068a776d24960f445b97895c03a236c6

SHA512
37089cb33af984f25b4aa189c0acee953b7b04018863b124e32241d872ee76dcf166ef91ea16c8e05005864685563d0103aa71e7f553bc97ace92b866c5c27a3

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
9fddd31365e74cc67cdccf634c72bb71

SHA1
a055e1b683efcc8684bd0a755fbae45a9db85732

SHA256
7c506256dceb0b56a108ca811753f9159226097009f3f8f8e95f84cc5533232a

SHA512
6a18655d6ab2a8aa95a7c98d0334072e05d5c104ca586ad8e47bab3d749416d34f514e644032216ee98c9b5adb87729e06159a42b2eca1944c3abea44e95e6f0

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
8daa4b58d111c1208576743eac28e1c0

SHA1
050216e807686d6c2aea9ecdd62cecce4c3eb5cd

SHA256
218f358d837f768b767a9eca479fdc3deab7fe4032fa535361bfda93f027eb7e

SHA512
2cc9317bb5ffe7952bcfe8234c800771c1bc655a90f985e85e539a91a6f8d272d9d80a72208fb087e6a868dda335b0bb6e2c6a452a2364416576febb45dbe339

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c5ed7c9d787cb3832b33120ac5ef1792

SHA1
c8b20c915dffc9ed84c4a9023d2f21cc99bc77b8

SHA256
bb01deba70b9c836baed73bf1e32964a12caa1648efdf0903bd28a670d64f708

SHA512
188912e34ef87c269da5af4128204342a30933d8f5e02fd07815435318115677f0b46f6718e239a7fa9a199e247df4837a1b8c3ed424b8d64b35230dc4a91b30

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
735844325e5394412d65c786be0d85fa

SHA1
ff055a804d02c95563a5f0a85721f8bf00d487c6

SHA256
71610d9179fbe3c2344d881a7e5ae2a02a455a4a0f743cbae70123231f3a045e

SHA512
13be9073901863a0a2bfd121b26ee97201fbb3c2945bd45684462d1a1cac8b179697b39521f9adce4b66982576e530280f9acbf09b9cdfe07ff709d1c11b9bdb

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
85c1f73b84595779987ed5f0e6dc200e

SHA1
da7e63c41fd576106245e83b72dbe33c998f81ae

SHA256
8be99f17d469594facd4d1b2219c762b2db3c31e9adf9aea3dabc1a797e11064

SHA512
3633f2bc356aa3cd8ab1ef5fda8dc3652acdcae53c2bb935b835ac59756f41217d236837fa9245c2ac8496387eb4f42826bf0d943c09eccba4adf401ccecb749

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
de12892063f81f60b11c0497ec332fa7

SHA1
ccfa0530f55d277c3fe6d75260088ae08d5b7616

SHA256
afd8ccad757251c38eecbb67fc9f41af5aecfec62b521b229c5b17e17ba05eae

SHA512
441e809f431b7d1715efa1a6eeda910ba6945b9529a6330cf964a1d8f7233e97893e6eac6758abbeca4c61d315829371fa2e2fa02a5b838d1fb79e7a43b6d7ca

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
944173dcbec57a6db7976226da62c01e

SHA1
097806192500f9bbc92d88aa30f1283e56b90e9d

SHA256
cc08dcb252ed16f53dc61cd1e9a53147bbf3ea4db13f762e40f7900da37eeb3d

SHA512
14a2ea2835efc5f3887d9c186921f439cf3093c9388259310fa55b08a2cc290975fe6a807235c4fba07135aee871ed4b6352b676919d8ed025907e1efad113ef

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
3d7497555f119f1f84f4cf4a3328d605

SHA1
5643b393e0cb96e5b510e8bcbf887597a6cc012d

SHA256
80e16db58d125fe3b668977a665f162a5ec39b8fff2e2fc26c2e4dc558dfa7ef

SHA512
c29baaee37cee7abb410fd37dc5544420b83f15c54a6389545ac81d60a56dc082f968f282599df64f29ab46458a3450a8e84bd292aadee99353540b417144d98

Download Submit
memory/8-159-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/372-166-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/884-168-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1120-161-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1120-106-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1528-163-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1532-90-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1532-449-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2280-96-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2280-102-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2280-160-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2724-164-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2724-504-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3032-165-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3144-179-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3144-637-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3456-447-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3456-471-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3676-34-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3868-75-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3868-91-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3868-76-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3868-82-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3868-86-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3920-72-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3920-94-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4016-192-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4016-647-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4036-174-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4036-12-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4036-20-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4036-18-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4144-63-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4144-69-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4144-401-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/4144-74-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/4348-0-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/4348-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4348-9-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/4348-57-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/4384-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4384-197-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4384-54-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4384-48-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4420-169-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4804-162-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4872-631-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4872-172-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4980-35-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4980-36-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4980-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/5252-648-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5252-199-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5372-206-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5372-649-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5400-425-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5400-482-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5856-458-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5856-651-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5960-434-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5960-650-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download