5586e1a6fd4d7b6bab385a27706a26fe471171ef945a83165ec89b0695cca4b9

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 15:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
Size

5.5MB
MD5

f800226227b5005fcf775edc8b089870
SHA1

a5da361d7f7b12407f2cdda6ab2412fe34e2d760
SHA256

5586e1a6fd4d7b6bab385a27706a26fe471171ef945a83165ec89b0695cca4b9
SHA512

76a9698f619d62992793feb78fe6e0cdf7d1d5a5d8bda43051b014d22b490a7b71d9565503459a358fd10a4b00f7babf25d589fb246391bbaf1b7f96e095d34d
SSDEEP

49152:DEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1bn9tJEUxDG0BYYrLA50IHLGfQ:fAI5pAdV9n9tbnR1VgBVm1ATJS

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
396	alg.exe
4488	DiagnosticsHub.StandardCollector.Service.exe
2552	fxssvc.exe
4896	elevation_service.exe
1608	elevation_service.exe
1900	maintenanceservice.exe
3536	msdtc.exe
3812	OSE.EXE
1416	PerceptionSimulationService.exe
3836	perfhost.exe
4548	locator.exe
4064	SensorDataService.exe
4672	snmptrap.exe
4060	spectrum.exe
544	ssh-agent.exe
4948	TieringEngineService.exe
4572	AgentService.exe
2644	vds.exe
4452	vssvc.exe
1972	wbengine.exe
4644	WmiApSrv.exe
388	SearchIndexer.exe
5492	chrmstp.exe
5632	chrmstp.exe
5748	chrmstp.exe
5840	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1facdb70293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{878BCDD2-1ABC-4948-8DA1-C8645DF0F833}\chrome_installer.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f829a735cecbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000071eeab35cecbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000033c7c335cecbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000225d5c36cecbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006c15b335cecbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e2216136cecbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000715a0637cecbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133643225472356633"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b876d435cecbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000064bf5e36cecbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
740	chrome.exe
740	chrome.exe
4928	chrome.exe
4928	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
740	chrome.exe
740	chrome.exe
740	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1096	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
Token: SeTakeOwnershipPrivilege	3288	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
Token: SeAuditPrivilege	2552	fxssvc.exe
Token: SeRestorePrivilege	4948	TieringEngineService.exe
Token: SeManageVolumePrivilege	4948	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4572	AgentService.exe
Token: SeBackupPrivilege	4452	vssvc.exe
Token: SeRestorePrivilege	4452	vssvc.exe
Token: SeAuditPrivilege	4452	vssvc.exe
Token: SeBackupPrivilege	1972	wbengine.exe
Token: SeRestorePrivilege	1972	wbengine.exe
Token: SeSecurityPrivilege	1972	wbengine.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: 33	388	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	388	SearchIndexer.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
740	chrome.exe
740	chrome.exe
740	chrome.exe
5748	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 3288	1096	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe	81
PID 1096 wrote to memory of 3288	1096	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe	81
PID 1096 wrote to memory of 740	1096	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe	82
PID 1096 wrote to memory of 740	1096	2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe	82
PID 740 wrote to memory of 1760	740	chrome.exe	84
PID 740 wrote to memory of 1760	740	chrome.exe	84
PID 740 wrote to memory of 1284	740	chrome.exe	108
PID 740 wrote to memory of 1284	740	chrome.exe	108
PID 740 wrote to memory of 1284	740	chrome.exe	108
PID 740 wrote to memory of 1284	740	chrome.exe	108
PID 740 wrote to memory of 1284	740	chrome.exe	108
PID 740 wrote to memory of 1284	740	chrome.exe	108
PID 740 wrote to memory of 1284	740	chrome.exe	108
PID 740 wrote to memory of 1284	740	chrome.exe	108
PID 740 wrote to memory of 1284	740	chrome.exe	108
PID 740 wrote to memory of 1284	740	chrome.exe	108
PID 740 wrote to memory of 1284	740	chrome.exe	108
PID 740 wrote to memory of 1284	740	chrome.exe	108
PID 740 wrote to memory of 1284	740	chrome.exe	108
PID 740 wrote to memory of 1284	740	chrome.exe	108
PID 740 wrote to memory of 1284	740	chrome.exe	108
PID 740 wrote to memory of 1284	740	chrome.exe	108
PID 740 wrote to memory of 1284	740	chrome.exe	108
PID 740 wrote to memory of 1284	740	chrome.exe	108
PID 740 wrote to memory of 1284	740	chrome.exe	108
PID 740 wrote to memory of 1284	740	chrome.exe	108
PID 740 wrote to memory of 1284	740	chrome.exe	108
PID 740 wrote to memory of 1284	740	chrome.exe	108
PID 740 wrote to memory of 1284	740	chrome.exe	108
PID 740 wrote to memory of 1284	740	chrome.exe	108
PID 740 wrote to memory of 1284	740	chrome.exe	108
PID 740 wrote to memory of 1284	740	chrome.exe	108
PID 740 wrote to memory of 1284	740	chrome.exe	108
PID 740 wrote to memory of 1284	740	chrome.exe	108
PID 740 wrote to memory of 1284	740	chrome.exe	108
PID 740 wrote to memory of 1284	740	chrome.exe	108
PID 740 wrote to memory of 1284	740	chrome.exe	108
PID 740 wrote to memory of 3192	740	chrome.exe	109
PID 740 wrote to memory of 3192	740	chrome.exe	109
PID 740 wrote to memory of 5000	740	chrome.exe	110
PID 740 wrote to memory of 5000	740	chrome.exe	110
PID 740 wrote to memory of 5000	740	chrome.exe	110
PID 740 wrote to memory of 5000	740	chrome.exe	110
PID 740 wrote to memory of 5000	740	chrome.exe	110
PID 740 wrote to memory of 5000	740	chrome.exe	110
PID 740 wrote to memory of 5000	740	chrome.exe	110
PID 740 wrote to memory of 5000	740	chrome.exe	110
PID 740 wrote to memory of 5000	740	chrome.exe	110
PID 740 wrote to memory of 5000	740	chrome.exe	110
PID 740 wrote to memory of 5000	740	chrome.exe	110
PID 740 wrote to memory of 5000	740	chrome.exe	110
PID 740 wrote to memory of 5000	740	chrome.exe	110
PID 740 wrote to memory of 5000	740	chrome.exe	110
PID 740 wrote to memory of 5000	740	chrome.exe	110
PID 740 wrote to memory of 5000	740	chrome.exe	110
PID 740 wrote to memory of 5000	740	chrome.exe	110
PID 740 wrote to memory of 5000	740	chrome.exe	110
PID 740 wrote to memory of 5000	740	chrome.exe	110
PID 740 wrote to memory of 5000	740	chrome.exe	110
PID 740 wrote to memory of 5000	740	chrome.exe	110
PID 740 wrote to memory of 5000	740	chrome.exe	110
PID 740 wrote to memory of 5000	740	chrome.exe	110
PID 740 wrote to memory of 5000	740	chrome.exe	110
PID 740 wrote to memory of 5000	740	chrome.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Users\Admin\AppData\Local\Temp\2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-07-01_f800226227b5005fcf775edc8b089870_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffae94dab58,0x7ffae94dab68,0x7ffae94dab78
    3⤵
    PID:1760
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1908,i,6596165138505455606,18049829101113024636,131072 /prefetch:2
    3⤵
    PID:1284
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1908,i,6596165138505455606,18049829101113024636,131072 /prefetch:8
    3⤵
    PID:3192
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2100 --field-trial-handle=1908,i,6596165138505455606,18049829101113024636,131072 /prefetch:8
    3⤵
    PID:5000
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2992 --field-trial-handle=1908,i,6596165138505455606,18049829101113024636,131072 /prefetch:1
    3⤵
    PID:4892
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3000 --field-trial-handle=1908,i,6596165138505455606,18049829101113024636,131072 /prefetch:1
    3⤵
    PID:4172
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4304 --field-trial-handle=1908,i,6596165138505455606,18049829101113024636,131072 /prefetch:1
    3⤵
    PID:5252
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4164 --field-trial-handle=1908,i,6596165138505455606,18049829101113024636,131072 /prefetch:8
    3⤵
    PID:5488
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4560 --field-trial-handle=1908,i,6596165138505455606,18049829101113024636,131072 /prefetch:8
    3⤵
    PID:5496
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4580 --field-trial-handle=1908,i,6596165138505455606,18049829101113024636,131072 /prefetch:8
    3⤵
    PID:5268
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 --field-trial-handle=1908,i,6596165138505455606,18049829101113024636,131072 /prefetch:8
    3⤵
    PID:4164
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5492
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5632
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5748
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5840
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4492 --field-trial-handle=1908,i,6596165138505455606,18049829101113024636,131072 /prefetch:8
    3⤵
    PID:5976
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1908,i,6596165138505455606,18049829101113024636,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4928

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:396

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4488

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3772

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4896

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1608

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1900

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3536

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3812

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1416

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3836

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4548

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4064

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4672

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4060

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2988

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2644

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4644

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:388
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5680
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1a5f46ba3ef115264a6ebae576e84009

SHA1
5f5102a47cdbdb4a4ec3176d40127e2c68236bae

SHA256
43ef41c045ba3aa4ba133891f79faa50eed6ac8c1906cdde68c74831fcd9cd98

SHA512
5da1b931df66bd55d2ffd53a8819b35667bc7c7bd4da9d8c99c316f871fbc84708ae507b61d551eb7356a60f187e193002e97554b475067fda4ac653a5a66183

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
7339cc0d0cede7dc1813fb381b963b3d

SHA1
6b7ce296681e9f5270f52e73857a655e3a94ade4

SHA256
0f5aed63c27b4602805f51b5e672572f11a645a0fdf19ff35e6974a499ecddc3

SHA512
886c1a202d4e248cd3599a93e0ed2b706610347cf72fa60200d026578f297eda71aa8d27d4c3112460cb14dccecf5d6cb4ba91f09a111319e3d0382d2adf1520

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
a30fc0d94dcf215866058c8042fdde8e

SHA1
2cc246d716e82dc831e4d70800ab606805154b11

SHA256
88e0a0eb0c679791568d3b94cff2e4ae9a733407d56530aa5e04db85527ca5f7

SHA512
48724f37119f69f20c77d864fba62f33b972d509ab45d78f505b0edbece9bf38388a3178de9b8fe13e84f400f810f02cf8255f51b8da6d2686e66be060e84442

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
8dcced2ce243cfa68e654c7fea0562ce

SHA1
68bf5032d64c8c4cd3da69b217f163fa75440e96

SHA256
1c12c9c1f9796bc7043a74e5385e93d3ce05248987022f68baf69994c7beb04c

SHA512
54a0f218bd440604103fe0e5ead02893c9b0fd1b0ba9a65f5e15cfc80e0211dc3df38f0f2ea099a1a5127dcb4bc445379de9aaea027a4b5b8b4a5e84b43f1c9a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
6ba9486822517debeef930e13f8fc53c

SHA1
0b850a876aecc150caf0dbcad155c6b30f67e252

SHA256
4db8d8fcbf031b8642910541f6413e7f7067482fa7a18da5872b047272e35e84

SHA512
d250ee968017f0bd52260bf31c757161e1671651aa01c08d1831ce26abf41b4697aaac457d0325836694356bd17928ed1d367ab84a2559cb5830bba08395edb6

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\be7fc564-c013-4aa2-94fd-03f9db007182.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
23e6ef5a90e33c22bae14f76f2684f3a

SHA1
77c72b67f257c2dde499789fd62a0dc0503f3f21

SHA256
62d7beeb501a1dcd8ce49a2f96b3346f4a7823c6f5c47dac0e6dc6e486801790

SHA512
23be0240146ba8d857fc8d37d77eb722066065877d1f698f0d3e185fcdae3daf9e1b2580a1db839c1356a45b599996d5acc83fda2af36840d3a8748684df5122

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
0ccd44cee0a3c26f4d6e491bf938176e

SHA1
08d0387ae3cbc566255389811ebf010004506fbe

SHA256
2beb3d9ce2faa6e7ffcfd1e390a13b3e116bf0c475cc2a189e565bc7d427aa95

SHA512
f28c0bae08dec290dde853cd9e734d64e3c3084bac7af8098d6210eb2a4a1cd45c97a905c9ccfabc3dd72aab2f914a8654848a31a30c767c88ab4f98f01173c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
26ea745eea4a1088cf3d193853460bb4

SHA1
dbf82bd511ef3791ecfda3d660ddc42110789bfb

SHA256
c53c7f5ead524177cba4066a070254a9e4ae29b9eb57d7646fdf6e211efd7d85

SHA512
0591138782234cfb2622f7efb75699f01932c8dc29cbe42475a63c1051786f034953504ed5daadbb61ecd1c88fcb786762f889649596918568b8cfd251809a6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d969d0125dfe435dc7ba763d90babc6e

SHA1
4b10af4a906da34390c15ff981eb5ddce54deb8c

SHA256
82ed5e3cbbf33fe3db4cce96cc866524279cc792073187d259f440058e667cda

SHA512
f41b9bc4e3a28d5c24e65f723b8bda7edbed56005ccdeb6192262d6ebf43dfe64ed429e6c93840fb17cb4b9032468fb0cf63689e97fdde21c9745b7cd789bd5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5778d9.TMP

Filesize
2KB

MD5
8441fa327ce1f6c12f371a1535e655be

SHA1
7ccca62179f1eb9a2d47c3886ad8ad4bf5b15071

SHA256
975c8308bab1dce91143c9ad18effdd216bc367fccb3195ec2d4fd50177d2158

SHA512
986088d4595dc5a9e166ecc0b439a878a24d512f236b2756e377050c0cc7423143d3aaa3033ba5163b28fe8551313ff985d6df2ab109117186e878ca4a98d0a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
1e26c92752ae6b4ac6fc135dc39e83ea

SHA1
63d0183a954c9a8e7b1c7e9d6b56b70b83eb551b

SHA256
618b04332e3a213b26dc1adaa11ef5a6d510ed85abd5c6ae6b34b0d5bfa9bca5

SHA512
fb81476822ffc7da532569c996a05cfdcef8fca67e55b0f0cf7f5ebb1cf7b65b34f88d90b69fbc8aa16bb985b9096a92ebabf7847d685e7fa6dc84c27fa5d271

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
269KB

MD5
59f811b63113e0bb57fa50858ab295dd

SHA1
b2d59a5b85bf9e9435e14a2ddc65f18c25bad330

SHA256
949319c488357d6a4a2b511108f1ae75a4ec8fd850d063cb38f6a1a02ebbc07c

SHA512
214d64eacf72f121bb3f148a74db3fc12a84ed326d82a0fcef347d6754e47522ee32ab18cbdc28818d0bb5840f1e0d5c8769919f15e34c6e47e8b57fd467aa40

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
751fd76fae63878f3bb7123bf80958fd

SHA1
cedd5de1d2e9d352a89a1edfb79a7f381da3b239

SHA256
098a9ac29403b553c4530e001274702e8df136e25f6e6955eb5bb09475fe5121

SHA512
232555d919e594a1765b953e9fa4f3db33f7551450a36c506218cbec42cbd9b59630ca568678b73c835ba36df1f724bc06eec5e4fd2fa0dbae77c9078bb5187e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
f8ca8bb2c40c10bb6b22104682f3ef7d

SHA1
fbcf1146c01c816d1a7fdd5030af92f8f7b0fc5c

SHA256
116a529f06948574a2ea4280894910d75e0f094954c73423a77a1e28b91702b2

SHA512
8e3c00b3eddcae6a46aae4bef15feb5f0b7db53e21fb2bb0eae096b14102426629e8e3fc7898ecb70960784a327a41d54f0d3673e98e81c6fe8cb5a78cb41db9

Download Submit
C:\Users\Admin\AppData\Roaming\1facdb70293b476c.bin

Filesize
12KB

MD5
8d7ea87d13d955f23bab9e8870002a85

SHA1
73b95c1078c52806388c4b4a642e16c129483e5d

SHA256
9edab34407796d5ace49477e69fec5f56cc52ce1e270c54678386e89ff555ec7

SHA512
c611ff776803a2c1815bbc47c876cdbd1a22907de306a0bc0167718e465715417aba4112eba82969e84dbaf7e100f8d401718cd2aa2180e9545e62ca85cf4c55

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
596789049709c6c6fedc841c12b73405

SHA1
16d700cc007b385d9d8715bc4247bba09ec6616c

SHA256
17ae56d800414dd1f600d9aa65f0c7e5421c2440a7024d9079fe330f3c935b1c

SHA512
535b547ad38024f6e5248c6ff170034dbcf9c82cc9bd51a72790dc6aa414387360d067f785a593a448e356daa73fcefa0b4768a31d674a9e3dc790ac41228add

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
db88aeccf23553777693d5d6da320c2e

SHA1
3cbfe0d59556329fdd7d5456ad491efc5e29bad7

SHA256
a6971f050ba369280ca45358851ea400688e0721c746f4fb7d4d2c9bf8347ff4

SHA512
9d174675ed796045dc268da4f38c362aff7f5911c287b936bc554d9ef33ea9e113eb10cae84cbb74bcdebcb0ec235ef7bb0b641806bddbe5d7338bbf22376d04

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.6MB

MD5
ae13027b784231845437d3bf59aa89c0

SHA1
aa8af8980375a5460fa0f08ba662c05a631884ba

SHA256
bfddf5c00b153075331e4d5779b01f17ad5d75b0ed701481cf17990d1981409c

SHA512
923de5ccd374f70104be09aeceae5adb924544a146be8a3e3e4351e52c53b03bcbc0f64e61ff241b2b1dc1480db05968d8f8ff4319d849480f1b5862ce5c51a8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b2166b4d545d5bcfc22c8971f3436e4f

SHA1
c9a54ed204416433d52715f4f2b837566975ceac

SHA256
d372736883ba3811764faaa49ebcbe7dd656aa5d3a8456c0a6985cadea4f0b8d

SHA512
30c608749a55dba86f49aedbf4c3c9ffc517bffc4caa9ad7a173530f1f129d78f32feab187791a072129f249123ecbf61e78b1907469565b0506c62c97aaf2d6

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
08da66e26c2ac5c44e9a0527700d6c42

SHA1
6d56a05701aa69ffbc7f19a7963bb58f9b0d5ba6

SHA256
407d7c6a197fc481e5d975729665515cd08217187a7d144ed309f3d36920d5c0

SHA512
5669b71774256e9feed38986b56453c7a6088a518d3c49dd145064a5c5811ada7a4130fbf31fd5795e49f666b8fc4097a280b7c2da18e66fba8e486f3edd62c9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.9MB

MD5
b8f155ce2ee3458f0bb285f816937dac

SHA1
b2a7a9a882d173c7b708b35312dd4faf851098c4

SHA256
29655350dd7b8144d8b384751184d53657848f44aff9ca3e4ec6af0b84dbf287

SHA512
4608f23755e6d4c0fde038f4748b81456d50c9ab270f7a77f046c84cd97b0b942a7e9c52d11b36c8b590c54dc28466c7fba76b03af485332d0cb0a7c92c12141

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
4b76e321b7fa58f4e9aa05dea5bd6fd4

SHA1
b8c107ebb7c763bee42c33d0fb3b304d5276e9fb

SHA256
186c8dbb38ca11ddeb497f7b8e5ddae4c5799b1ca4e6df1fe8a9336a1d2981c7

SHA512
dc4e7ec3f74109129a60a13bc8f6dd69def1a2b5e9612e10a6ff92e7d6ee673830d0b774bafcb58813cb36c31b8c0b7be17d9eed43f0734b8ea5560a048614a5

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
918f80b4214ceffc5695a0e5f47f84bc

SHA1
483f4b0ae559fdfde9d3e20e7d845f736ef1d98d

SHA256
c40306e98573ed08847292c1bea16bc908207a818a8a23161995eb33b4637149

SHA512
ec865e745d9dc3cffbb068094fe9979fff372fbfd7a5e6ade319fb6a6c629b2c6f55d5278aa5f4801bdebc339bc57208c99dd6cbd5cdb474c4b6f0d1fcf3dd56

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
32019687bdfdf1a696308058c626f698

SHA1
109543313ef3a2f2bcef937ef9383dcf1ed4aa13

SHA256
53f7b9fc70a6b615352eeb483bc4ef41c30ec469ce3fd265c9114b36f747d3df

SHA512
e4f2636e85ae0416f75a62e89d33eeb70c6bd42dc6c7d43d1062fee3f59fc32bda65c2afe7b6ca63f4c90f3e3de6d14eab40d7aba3819b42e57d751b26ea5e16

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e94e5021eb87eebe4b3898000abc316c

SHA1
14dded6c360ad8063b6e7633f7f57f6669963f95

SHA256
1f46caaf10a20d2b5fb6ca1fe0bdfe627e7a859baf1155883b0541535b4a7523

SHA512
24f6ff7578ba69b9575cf67e02d30f1c9c14f057e68e4da7aead3d2c5e889830ce412d2a77acc80bd41be08b389afeae72a02123acd4c1ee61001ef0703c4ad5

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
0f84671eb23f3efc8fd1811d47771f55

SHA1
0a5aefd297cee3cf4c6535c148a3ea3c5a0a927f

SHA256
a9ac9f8e94387919fa12abde9a9e0d476724d190c2777db55ca9f8ee29ce7593

SHA512
63316b00a3da3d3aa603a9932e00188e471eb9064987c588692113f37bc618828bfdcc1d241554b30ac1bb32ea279a57e69d98aa0d8d719d2414bee36ebd9f43

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
19c678f1a849a925eb962d2dbda66653

SHA1
0a01168e8bae1450b38b1194fcef9949c3c01d1e

SHA256
f632de759bca3cae1d5f1d6b7da2d17fe3579f3961cf0574527e8547be66fbc1

SHA512
cadc956578c41e94bd0deeeee3a7e4442be8975048f81096b24c9096b05b4cb6dd3bb33b69d2291492efaa5773e3a301e9285aa7bb83cb115e5cceb944ace84d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.6MB

MD5
e7e4b15065dbf3732204b539fb1d3ab4

SHA1
0e427a1726922de98d13060fac1dfdf226ea4f2c

SHA256
8c020d21b467b46fa26e32da019675c3939e96e1319e3cf08e3474718cd2d25b

SHA512
ba45593dd74cca72f16cff97299ef5efc50bb435bb3c17ba892888be82b2dadfc812e961023516d34da8eb72be726db7f55585d7b62eeb0430873a3eb7db8695

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
3e1ed7c28fd3bcbb25c089c070c20429

SHA1
3f243d51ac6238fa3f64c1c41aa8ab079e6ed2bf

SHA256
1907bf3a7fb9e70b4bcb00f90ce443158275142eab45ffa80335b9685724dd35

SHA512
9f43c0785bcfcac288f7e1b4e70a3d15731f09d0d51f2c779e8250fe17c4d3f87f9ad6ca9851eeedb8469361372302d6e1c2c35e62ebb61388169f5a06839413

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
a389476aedd989943a5f94f025234853

SHA1
cfadac37d1213e4a4bbec948835c6dc136f71a75

SHA256
be18df2bf6584f4bdf85a1bdb9931433b821c53c9f439c9c6b2d4286b2c06a35

SHA512
40db338e9265c1d19407349788869bfe09b2712c48a7c7d73ae64ccaa4e2cc5df5ec1cfc9a02320ecdba153973cea5b2dfe73383ee0aeddf9ac05f99eb128033

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
40c7241e02757de0e81230439eaa912e

SHA1
34f9341ac6d4bf10dcf9438b1a4a7c2321ac756a

SHA256
672ae333b56aebe0a6e6d2ccc9219c812e156776f56a0dcd24b3e795a902cfbd

SHA512
f2eceb3690831b13527fbeb81357d2115673181bd265d3c31c2ca959e4ab8ad4b6537896c87e0e50f082507d53645833b5f232d312530d6bb70403076ee8fa80

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
f7b4fa5f4624c4b11c370289e6fce8e9

SHA1
cbd5cda20546f1618f229ee728729f7870f0bcb8

SHA256
6746fbc6f2b30571be1b9a256de60d2f06cbf3df6a9666f14155398efe7f8ea9

SHA512
b73b171c2810d2713ad242d2e9e3640af43274c0f63c9da9642659f7001fae9520091b1a14ef1c1ce5fc460cf0466b11e89e479e7288754fa00683818bbf4f37

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e02e90efe75dffa69f32fccf5bf5d363

SHA1
df3f794bb106583334338087a8ff4be36b52c46b

SHA256
42c0f6aa6d884cfa9e43a9dbd3fe046b56cfb9e31c03863087f8e5becce87a43

SHA512
6657f519c1e7a711e54f53c7096db094a25c283e013ac96268d54ffccaceef81ac4378073d6b4a9d3f077e7449d0be6a05da048c303e4c91e5403204210deccf

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
440112092893b01f78caecd30d754c2c

SHA1
f91512acaa9b371b541b1d6cd789dff5f6501dd3

SHA256
fdf37f8111f0fabb5be766202a1a0b5a294818c4c448af0fec9003242123e3e6

SHA512
194c7b90414a57eb8f5ba0fc504e585ab26b2830ed0aae29cf126d5a6c4888d508c22984aeedec651c8644fb1f874fa558b2090488516b33165fe7985d2815ea

Download Submit
memory/388-685-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/388-350-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/396-34-0x0000000140000000-0x000000014019B000-memory.dmp

Filesize
1.6MB

Download
memory/396-515-0x0000000140000000-0x000000014019B000-memory.dmp

Filesize
1.6MB

Download
memory/396-29-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/396-23-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/544-212-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/1096-0-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/1096-31-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/1096-40-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1096-10-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1096-6-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/1416-173-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/1608-162-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1608-87-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1608-81-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1608-546-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1900-91-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/1900-103-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1972-278-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2552-67-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2552-62-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/2552-64-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2552-65-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/2552-56-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/2644-276-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3288-211-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3288-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3288-20-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3288-12-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3536-165-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/3812-172-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/3836-174-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/4060-667-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4060-190-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4064-635-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4064-176-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4452-277-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4452-683-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4488-529-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/4488-44-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4488-53-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4488-52-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/4548-175-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/4572-228-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4644-279-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/4644-684-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/4672-652-0x0000000140000000-0x0000000140187000-memory.dmp

Filesize
1.5MB

Download
memory/4672-177-0x0000000140000000-0x0000000140187000-memory.dmp

Filesize
1.5MB

Download
memory/4896-76-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4896-78-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4896-70-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4896-300-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4948-214-0x0000000140000000-0x00000001401D3000-memory.dmp

Filesize
1.8MB

Download
memory/4948-673-0x0000000140000000-0x00000001401D3000-memory.dmp

Filesize
1.8MB

Download
memory/5492-592-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5492-532-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5632-544-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5632-686-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5748-566-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5748-581-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5840-569-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5840-687-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download