f097aff9a41e8595fd726a8345964bbb4e39b27c3f14a07a6b6bf2e4f6af2411

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 19:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
Size

5.5MB
MD5

469102d91286cdcd861e775e11f3808f
SHA1

0557d297135659625f15b601ba5bbe414adedf1b
SHA256

f097aff9a41e8595fd726a8345964bbb4e39b27c3f14a07a6b6bf2e4f6af2411
SHA512

ea24f2c748f5e2e68c6cc1067c697f60914f173fe84abc53a89e7ba25c909d546ac89681f653183bb6247ba9cab984c32bab53c65c6cf9e6bbd9827c421dfb2c
SSDEEP

49152:fEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1bn9tJEUxDG0BYYrLA50IHLGfE:bAI5pAdV9n9tbnR1VgBVmj1Ms

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2876	alg.exe
2312	DiagnosticsHub.StandardCollector.Service.exe
4036	fxssvc.exe
4136	elevation_service.exe
3320	elevation_service.exe
2192	maintenanceservice.exe
1928	msdtc.exe
4932	OSE.EXE
4892	PerceptionSimulationService.exe
4812	perfhost.exe
2296	locator.exe
3328	SensorDataService.exe
3248	snmptrap.exe
3548	spectrum.exe
1436	ssh-agent.exe
3752	TieringEngineService.exe
2268	AgentService.exe
4460	vds.exe
5076	vssvc.exe
2600	wbengine.exe
5056	WmiApSrv.exe
5200	SearchIndexer.exe
5920	chrmstp.exe
6028	chrmstp.exe
5160	chrmstp.exe
5364	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\797faae64bebce60.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\java.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaw.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaws.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F22A0C79-EAB8-458E-BB67-27753F7CC7F9}\chrome_installer.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008124662583cdda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e8ad6f2583cdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b31c012683cdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fae86a2583cdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000064a5292683cdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000477f032683cdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e8f4182683cdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133645102048172736"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000061e5c72583cdda01	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
908	chrome.exe
908	chrome.exe
4600	chrome.exe
4600	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
908	chrome.exe
908	chrome.exe
908	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	680	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
Token: SeTakeOwnershipPrivilege	1040	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
Token: SeAuditPrivilege	4036	fxssvc.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeRestorePrivilege	3752	TieringEngineService.exe
Token: SeManageVolumePrivilege	3752	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2268	AgentService.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeBackupPrivilege	5076	vssvc.exe
Token: SeRestorePrivilege	5076	vssvc.exe
Token: SeAuditPrivilege	5076	vssvc.exe
Token: SeBackupPrivilege	2600	wbengine.exe
Token: SeRestorePrivilege	2600	wbengine.exe
Token: SeSecurityPrivilege	2600	wbengine.exe
Token: 33	5200	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5200	SearchIndexer.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5200	SearchIndexer.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe
Token: SeShutdownPrivilege	908	chrome.exe
Token: SeCreatePagefilePrivilege	908	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
908	chrome.exe
908	chrome.exe
908	chrome.exe
5160	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 680 wrote to memory of 1040	680	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe	82
PID 680 wrote to memory of 1040	680	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe	82
PID 680 wrote to memory of 908	680	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe	83
PID 680 wrote to memory of 908	680	2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe	83
PID 908 wrote to memory of 956	908	chrome.exe	85
PID 908 wrote to memory of 956	908	chrome.exe	85
PID 908 wrote to memory of 4720	908	chrome.exe	91
PID 908 wrote to memory of 4720	908	chrome.exe	91
PID 908 wrote to memory of 4720	908	chrome.exe	91
PID 908 wrote to memory of 4720	908	chrome.exe	91
PID 908 wrote to memory of 4720	908	chrome.exe	91
PID 908 wrote to memory of 4720	908	chrome.exe	91
PID 908 wrote to memory of 4720	908	chrome.exe	91
PID 908 wrote to memory of 4720	908	chrome.exe	91
PID 908 wrote to memory of 4720	908	chrome.exe	91
PID 908 wrote to memory of 4720	908	chrome.exe	91
PID 908 wrote to memory of 4720	908	chrome.exe	91
PID 908 wrote to memory of 4720	908	chrome.exe	91
PID 908 wrote to memory of 4720	908	chrome.exe	91
PID 908 wrote to memory of 4720	908	chrome.exe	91
PID 908 wrote to memory of 4720	908	chrome.exe	91
PID 908 wrote to memory of 4720	908	chrome.exe	91
PID 908 wrote to memory of 4720	908	chrome.exe	91
PID 908 wrote to memory of 4720	908	chrome.exe	91
PID 908 wrote to memory of 4720	908	chrome.exe	91
PID 908 wrote to memory of 4720	908	chrome.exe	91
PID 908 wrote to memory of 4720	908	chrome.exe	91
PID 908 wrote to memory of 4720	908	chrome.exe	91
PID 908 wrote to memory of 4720	908	chrome.exe	91
PID 908 wrote to memory of 4720	908	chrome.exe	91
PID 908 wrote to memory of 4720	908	chrome.exe	91
PID 908 wrote to memory of 4720	908	chrome.exe	91
PID 908 wrote to memory of 4720	908	chrome.exe	91
PID 908 wrote to memory of 4720	908	chrome.exe	91
PID 908 wrote to memory of 4720	908	chrome.exe	91
PID 908 wrote to memory of 4720	908	chrome.exe	91
PID 908 wrote to memory of 4720	908	chrome.exe	91
PID 908 wrote to memory of 3316	908	chrome.exe	92
PID 908 wrote to memory of 3316	908	chrome.exe	92
PID 908 wrote to memory of 624	908	chrome.exe	93
PID 908 wrote to memory of 624	908	chrome.exe	93
PID 908 wrote to memory of 624	908	chrome.exe	93
PID 908 wrote to memory of 624	908	chrome.exe	93
PID 908 wrote to memory of 624	908	chrome.exe	93
PID 908 wrote to memory of 624	908	chrome.exe	93
PID 908 wrote to memory of 624	908	chrome.exe	93
PID 908 wrote to memory of 624	908	chrome.exe	93
PID 908 wrote to memory of 624	908	chrome.exe	93
PID 908 wrote to memory of 624	908	chrome.exe	93
PID 908 wrote to memory of 624	908	chrome.exe	93
PID 908 wrote to memory of 624	908	chrome.exe	93
PID 908 wrote to memory of 624	908	chrome.exe	93
PID 908 wrote to memory of 624	908	chrome.exe	93
PID 908 wrote to memory of 624	908	chrome.exe	93
PID 908 wrote to memory of 624	908	chrome.exe	93
PID 908 wrote to memory of 624	908	chrome.exe	93
PID 908 wrote to memory of 624	908	chrome.exe	93
PID 908 wrote to memory of 624	908	chrome.exe	93
PID 908 wrote to memory of 624	908	chrome.exe	93
PID 908 wrote to memory of 624	908	chrome.exe	93
PID 908 wrote to memory of 624	908	chrome.exe	93
PID 908 wrote to memory of 624	908	chrome.exe	93
PID 908 wrote to memory of 624	908	chrome.exe	93
PID 908 wrote to memory of 624	908	chrome.exe	93

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:680
- C:\Users\Admin\AppData\Local\Temp\2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-07-03_469102d91286cdcd861e775e11f3808f_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x254,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffb7bdab58,0x7fffb7bdab68,0x7fffb7bdab78
    3⤵
    PID:956
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1640 --field-trial-handle=1812,i,7598218605252706836,10496290249149418396,131072 /prefetch:2
    3⤵
    PID:4720
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=1812,i,7598218605252706836,10496290249149418396,131072 /prefetch:8
    3⤵
    PID:3316
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2220 --field-trial-handle=1812,i,7598218605252706836,10496290249149418396,131072 /prefetch:8
    3⤵
    PID:624
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1812,i,7598218605252706836,10496290249149418396,131072 /prefetch:1
    3⤵
    PID:1552
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1812,i,7598218605252706836,10496290249149418396,131072 /prefetch:1
    3⤵
    PID:1856
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3584 --field-trial-handle=1812,i,7598218605252706836,10496290249149418396,131072 /prefetch:1
    3⤵
    PID:3656
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4496 --field-trial-handle=1812,i,7598218605252706836,10496290249149418396,131072 /prefetch:8
    3⤵
    PID:2100
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4636 --field-trial-handle=1812,i,7598218605252706836,10496290249149418396,131072 /prefetch:8
    3⤵
    PID:4224
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4756 --field-trial-handle=1812,i,7598218605252706836,10496290249149418396,131072 /prefetch:8
    3⤵
    PID:5212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4500 --field-trial-handle=1812,i,7598218605252706836,10496290249149418396,131072 /prefetch:8
    3⤵
    PID:5488
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5920
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:6028
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5160
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5364
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 --field-trial-handle=1812,i,7598218605252706836,10496290249149418396,131072 /prefetch:8
    3⤵
    PID:5888
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1568 --field-trial-handle=1812,i,7598218605252706836,10496290249149418396,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4600

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2876

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2312

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4872

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4036

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4136

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3320

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2192

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1928

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4932

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4892

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4812

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2296

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3328

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3248

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3548

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5104

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3752

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4460

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5076

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5056

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5200
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5876
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 788
  2⤵
  - Modifies data under HKEY_USERS
  PID:5984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c27039eab8fdbb2bc35c581029c5845b

SHA1
bcbc5060cc74e4ca768cc4ed3bc874562dc2b56c

SHA256
9972b41e4fdab6bfbe8be03f61e15e1af455513205e1427325ba4d71d859c345

SHA512
3bca42af30cde5d8c04d209afabd82e749aa590478c5ae84c51a819e9cddbca069834b9a4e072414be801583cc30cb74570edf75163e43623110b4b25113db77

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
f20ec990b6023af72307d1b755256d5a

SHA1
417a07afd6e14796d36a1cce751d9c9fbe99bc81

SHA256
f393e0b19133ed0bd3d584aaffc8e87d913a833342d46092c740cc433d943792

SHA512
7a537cd2e5d6f80dfd97a8c8ba6d2271212a05d72cd9fce7df2aecb3a3a7393aea9fe1050fdc9b13cde60d2ab6295d9fdd91f793a8e993e4f9443ec881090948

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
2a5be24c5f9bd4966b0bd8db1681904b

SHA1
9fd1c8ec72689ef5e095dd1f3f62bce67df822a7

SHA256
89d5cdc7397d3ee7ef5905d15e9a752ba481005333567f457b12d90c994eb922

SHA512
2300fd5b10a09256fcc8183bb6ec0cd6fbd72bf346b0c5f835de8a87622631b9c415406715979d813e933ccc1b2dba90cb105520df47098c13336581941cdced

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
6b0d677eec725938e39c0cfe9f0100b6

SHA1
b3de0e1919045ddc4d21787ed887b572424c9a78

SHA256
2ced04f68509628ca936f92b6afe69401c37659f3d5cb4e24b36e26eb48cf147

SHA512
f510e6c25b90a886f31db6da9d1dd1fcda315dad3432f2e637439a438b45eab5ffd57ecfa0832467d6ac2693a0bdca213b2e1d4d3cee6f323f5924c5d93dd7a2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
5fb0158dc86b653078141639508f42cf

SHA1
d5aef8a586ae27df18dc016404106db69d22753d

SHA256
2db2b5624efc922ea38f063abcaa2dfec5addbd23edf614174e0cca35ce35785

SHA512
d6b7f97f44e2574dd1ccb7edf20081948a7d23f84391a0db515f4b125699ef17dfe0d8fc77f3cb2a52302a97a4ca338317daded525a3276b1def6d9d7fa2801c

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\f7b6157d-ad1b-4efc-a4c9-c06aea3c304c.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
12b83e989851738f4289adcc37d5023b

SHA1
dae4ffd3ea26a44812a491b93fa1cc360c63ff12

SHA256
0671e614cf8e13a6f5c0785637d353773dbbf4c3e127fb463ce099c79c8f5950

SHA512
c4f3930765c45d90abc5c2a5f5be42e6d4cb98f533a8c72f8fd9c4ce73156850f1482f103584dbda8aa911568dcac35f8322cd27083ac3ad78132e6af8857f46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
edee09f0bfada3cdd6e7b67b60fd3706

SHA1
4d6ff7f4c4cc64c3b115adb272147116e6c2ce43

SHA256
a34ca3f31b97a631fa79cccf6a08ea3f4ea92fde328e1e3d73e161392c97b3db

SHA512
982bc2667ad8748f78d2bb808388fa68d58d5df51d5ca4a13efd04a380d73c72ea86e3608daca1cabd0217efe3713b75df70382e3261e07818867552197cf1f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
35bab0819bde560649bf89d0179a06e8

SHA1
29c9f03fcf6f9287a65d9a79fba550c1b0a55e07

SHA256
81eb4da82d6ba1f79d8fa549339f9b7719196f5d94b7c44fd2a620bf445a7b76

SHA512
db4f484668f2809e95af4c2a510ae8eac507a690a1d53033e0d4d15fef5d649e7ada3fb318f0976f0d81f692c1c3e7a4cdf21d6e97d56ebba6673a6504e5a501

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
56d2f459b601f587dc33a68bbe9446f5

SHA1
65f0b314a8b51f4f2adf178f1c1b76bfb9ff360a

SHA256
99d59528e9a3db07ef2858879554ef946514553617cbbbf9393f6d6749c62838

SHA512
a53222a57722a59a142b55af44b0d3a42a555871951db52c278671d916fbe11fdfa01e1cc3a4a2ee9da16d6badb59aa6a962f71814257c4e7a3da6e3dddea56b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe575525.TMP

Filesize
2KB

MD5
4d9f9409a83eaedf129ae19f52020b6a

SHA1
cc3fa0ec8a8902487b43752522320e749cfd13f6

SHA256
d062f973e1d03a91206bd6317cf2ec9c69ea064d0fe95041f06975bf9e3d1a93

SHA512
8f93adc4e1399a5802dfc89ac8140ce5eeb8809699c0c5b58e772e7bef88505569f026535d3570e9168a774a825d7ed85f2639b069598c16b23af329ad13752b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
2c6ba441ccc576fdfdb6bd4a9b9423fd

SHA1
831dae093c260cf7fd3aca9464b981b76767ef50

SHA256
5e5d7a50b60899f253b1072024da1e5bf927f1dcfd4a603eba79c9d18c2fd750

SHA512
ef499869ecc206f51293e37c2a81eb16b2f69b47d7ebd08327396369ed6979a607a13684841520df731417060fd20a02d8673522790295a4d82317b574bd914e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
279KB

MD5
18126dbddd6e3315d79e6454d37d9f1e

SHA1
408c93a189deca8c4315c553c3797c10e4664aa7

SHA256
a9a5c601d01bf16d1fbae8ca9be33bad94ee2b5906566fbc3e21146f17a2a97e

SHA512
8fe0757ba2073b9dae789d8e3c8bdc5d897868b7959cb94b3f132af4f5f1c93cfee6b998114cab3e838f863dc7722fe22330a02b5276ee4db9897ff6cfb8416b

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
43a3b7ae5cac6ddbd9e0f442c0ffd784

SHA1
9b074d917070a8a8936a761e59ebd34ac94987d8

SHA256
d2219389dcaa37c92206d38e4d15adb849afe8efdfab43fd3b5b7f6fba530c2d

SHA512
247de1d3fd818cb453f3d3746814e586b31b2248add59e6eb827c62072e0afd64ee57e3fd8eb5189e95c0211d4039310bfa248f0b43ba480ee794ed4f8f15247

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
92aba0a88ce7fb083ddeaa2fb881c803

SHA1
0dced334dbb8f973891dfb309688b3c9573a4c40

SHA256
178b6f01164ae580376ff04b74999c5fdfa3607d7ccba7534b691bfc85e4802b

SHA512
8aa1c7d6d05f3916fadf27eef8853474e168a0876155a6051c147b7cd00fd3e3a140ff2252a926d708eed83fbeb4c1b17e1aa6aeacef32baf1122d66653b1619

Download Submit
C:\Users\Admin\AppData\Roaming\797faae64bebce60.bin

Filesize
12KB

MD5
4def21d27bba99b3caf82c00b52f64c4

SHA1
802142660d9b97b9720a7d653f99d204004f32b3

SHA256
98efcfee852b231f4eb006300213f16f8df76ebec574ec240b2c5b7143a73865

SHA512
2f3a13fe35f6886d30f08d9e3b316648b6a9f19148241ca3f5dc58376763e7a8c3d58fcd6967666f920dd1fa43ef535f0e67e940c4578f741f00e4b47f9bf5f0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
dff8951c3db4e56c897c331196dcb992

SHA1
2212473bd4b02749f539015258f812a231e25b0d

SHA256
e21afcf8dcda4b01086d0bcb8eb9e6d6920233ffb174f24e19a3ac095da3f0bc

SHA512
0fcf7ab61e1a58049d2e270e2339ae8762afde77f92f62f35877fe1473596614aa1ad7569dfc951c34d23af9b0bde26dfdfc1d25a7f877e623bee1bf180bb8a2

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6f6b54d7b6e20b270a6023aceaae7da0

SHA1
ab981888ea8f1a0009f10ca069b35918e5b2cdc3

SHA256
a8160cd35a069d6efc7dff6ae1f8e138112b440e2fe5fdb364c9c4fb737fdcb4

SHA512
76e2dcdc9997a108db2e0d8705e392b2f9671fd976c4576c6196b516336f1dbb75516776a8f88b9edd6aa383bd41eaa07774b7b51b5f7f1910e45d514453a099

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
797df54ab54dcb259a53b4693fa7b0d9

SHA1
d1e07eac4655bd64b8f3f4a299e731de009c59b2

SHA256
aee6f13362fd365050a2613fa56f2adcbdf86d0811e48eae51b92844c464149e

SHA512
dca113e64f9962c4249b0979c921eeaf6ad5d4c4836917018f72e797f262a5f2eb3ae0640f71554ea79bedc586b480b3b540ae61d5b5fe9d1a36dc3d664b6034

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
98d9208eb4ca1e9a37bbda331570911a

SHA1
70ced02af2e7e12f8ad5abc03be0b9bc523cfe73

SHA256
a51166b3eb17f5318d73d9ab172f16c9eb756dfde27330f66f0ec532b1de0e81

SHA512
38ba015ddb95ea1852b27fa1d6c39073b8beb31194e9f8aefce9c3de6b824acb0fc7c3f4ef6dc82e949bcaa715b01964c21d644a84a8df4c6b8b937c5acc2832

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
330c24fad6dd4979a01544aba4bd9be7

SHA1
1592b3bf8db8528e71790ba1cf645955014c6137

SHA256
98bdfdb73e0ff645c77decfaaacddcc0284bcc3d93ed13f9130c0b770a3e9cf4

SHA512
4113bd0fd6a0307f943e8a896b36222f282a15c6ab35f2469eb6c6cbe7c81d1cce5595bd1ae30b89ac9f52a07a4b22ee88122182cfaacf99995a005ba20c7355

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
50e6ff83ba175f9749a593e27cade07e

SHA1
a936bd8276894d12ed24f84d4b539def277ef56c

SHA256
78f8c40c715ce6b57272ea5ad4e8839857b87b1b9e5c22ed522b3751e13667a2

SHA512
82646158579ffb4611a35ea938fdc7d98f18a992ff649b1617f08263fc9248ef7045ab10c6a1210b58fd608e41bcc62f59412d551a9eb1a8ff84986745538e73

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
682c5a48bde668b127635ce9b630a233

SHA1
d36be7ef9e76d88cfef36816aaa41ae39dd4822e

SHA256
d4c30aad96cb5f87e9a5c1fd2c8089d8f31acab9c91ec4e0bd34dfaeb0a187b5

SHA512
fda7abf608c39e2270a682308b814d2c8966fa54e56d5b6e91935e17091635b469673e48574cb0fd0512133cd58f09f6ab7b0283d108c255a6b0acc0fe9193f8

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
31d37dc129bb50477323742c207f8669

SHA1
bbc38b048e5b8eabc2f85e914bf8dd79ef3d4c10

SHA256
3410c337b6fd91713dae6a328b4902fb294f0ab1fb90e2568eba40ec6628dc92

SHA512
d55d85e04e227b66744745b7de0413160a1c996dd7dd7c1fbbdfecf1dc89711d9e62f778aebc325b5beaff97597184841ace241d85ab8ee8fbf7bcf8eeb3521f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5ecbb2c4d5c4681aba972d3e62efa2e6

SHA1
c00913bb4d0654cd36bba21f0ee7cad99bcbbf66

SHA256
ca8ad0a6b7c7008a16387ea7c8faac7634f53ff37599a758e8392773a9a0ebe4

SHA512
1d67a1aa4d7ecfc0de4b1f080c3912aaad801daa7def8b0390314fcf3cbf8e3fdca660a6454af356ed91beb0e9ec1f13c9df9869635a54dbb65c2c1edb7c80c4

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
4ba61f26ae8752bada46d6cf00b380a8

SHA1
1d206b1444a6a6c1bfd070ffa822b2ac885a7c1d

SHA256
cdeeb4c1b6dc93e302c3bf28cf44f2929483e4cb2137280a6b1042862d1f6aad

SHA512
15fb7cbc3fe59ba964fad0f3587b946496e23ff1f69efc31271d64eaa630fd368d404c46b53081071e2425220381383a0efb3f2994f9cc7b253b4ec742d78aa1

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
82f7fad6fce5ac17720bb63877b009b2

SHA1
6de73623d1d7f2e0296c3754b95e518a4baac91c

SHA256
dc000fe16e83aa67dd8b148f3a37860842125c76640b3959991b215152e45cfb

SHA512
a3c6f31c063a8b49eb100ef5ad14c7fb5b7a1976827215707bf1b1126df423f84e8297a5383f1b130963b8e41d4720f8fd345c3c3536ef613255a57e25354edd

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d21f424c6007fe21b6f589fd27b9849c

SHA1
6926fff34aba160f7b3d55ae093de65a20892134

SHA256
7a89de1dd755f7bed5897e8ddb1c14a7122ad0a250283557df2ef21f9dddbcba

SHA512
af03154bff0aa163d6e5233b21a90741ae282098a39c086709bef993bce4373599a4667a6bd3655f736c63b8aaf2f513c4048049a88096ff459d773804a9682f

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
eb0491ef61ea891fad2e0325308170c6

SHA1
39d8fd31a4d9f85795cac629841d90f0dee12df2

SHA256
7150a84baf77472e7c2528a4d5f35d8552653843ed94d908bc2c5e3d93f28cae

SHA512
c8caa18ea2b2dd004ac632ce33139ce4980c5da1727bc5a3dcaf73d38be9009decfa128328fd89695d29315476f74ff38cda4629ba8e6c0274c6f07df9e1f0fb

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
a10064b392ee5fb1886a29ef6473b430

SHA1
764f5ad1eecc90708c7fff1c25b8a9bdc992d236

SHA256
648a33dddda1b23e19507f62e4285f82f7c4d7c26f81a5e5df6562d7d12e6d49

SHA512
629a2e9a58e30f0aca6abe3183bbd7720495f3416af857758c3d2aa1193a3a835b78f44df74f4fd68859dd5b003acfad6b035e68c1f23a2ffc3a9bb8a21cbf6f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
74b9667f6fb9a7fae42508e4c7aacfac

SHA1
b1022718303343ba8f1fbdc2d7a47baff70d73bb

SHA256
fc83f909aca4ea0dd2b06235f7525dbddf24b881d32b1649ee8593c0258c2beb

SHA512
3e14c0dbc9492b5c1bb8d7a67e2d262dd660c86529be17258e0f774370c8fcf9caff2e31f62c212fbd1f3353999403fea4f6d2fa5ff820cc62b698fe351ebd68

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
388f22e1e056892e3db22b193630dec0

SHA1
31f520208c1ac6e5d4fb43847c59214b5aaa8047

SHA256
23e2a492ef3d06fdbb4b572decb705e962eddd088e796f4f54720dae4f79313d

SHA512
227552847d77db4cd06bd73e063a62474cafc21323ea828dddd72c65c4ba1a7cf2efa7d7e26ce3174d2e63891f74e25490d8e52834153c4cd9680b9706ddc150

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
30d996c0d3eb1ca2fc83d9d2b72611e5

SHA1
fa29d0d8ffa58c0a57929e000f728b1d52312d63

SHA256
e00a392a5b25ded76920c67a28526eef6bace72cf79c4ed66b2c8338163b8d96

SHA512
1490ceb484688fbcf499eec188328c1ffc44bd2e5c211bf5e24c749e67fc19eec940859669f2194f131fd84accb490442e7d6f6288c6850af437e27373ce470a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c7e5d7cc3710e2d1ea674feb9c3dd9e9

SHA1
b7b10e9919c8b90f3ff9cec09bbfb37f1f0bdea5

SHA256
fcee3f46648645cc3484682bc17890179c72f8b5d932328e5b39d6ac5edd16fb

SHA512
61ad17b158f2e2aae7a87a4a02880f534c9b53c54efad8b3e27b410651acda6b9495d18221d3fe8e2a99faf476840ec6d3063205f3de43f255fe4a3f5b4f8d64

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
a6e7bf45c9610ce4fa61473085cfc37c

SHA1
647f7ac0c2f74ac7f2b14f15bfcd9e68b5a8bf1f

SHA256
46a3b3028edf02346302b1ee0be06b5333d8953503cbee641687b7fe49cb419d

SHA512
4bac9b3051935e233ab60baed6facba9a40ce6fa9d00309b9f06f234ab119fb2be4af0b8fa26d24f8f884e7ef018651a3f05aaeda88ab125cddbc980f15eaf5d

Download Submit
memory/680-6-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/680-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/680-30-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/680-21-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/680-10-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1040-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1040-17-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/1040-138-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1040-11-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/1436-187-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1436-384-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1928-113-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2192-88-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/2192-99-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/2192-82-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/2192-91-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2192-101-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2268-205-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2268-204-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2296-162-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2312-40-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2312-44-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2312-34-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2600-572-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2600-223-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2876-169-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2876-27-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3248-172-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3248-340-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3320-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3320-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3320-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3320-201-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3328-544-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3328-170-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3328-230-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3548-181-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3548-374-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3752-202-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3752-399-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4036-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4036-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4136-123-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4136-56-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4136-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4136-125-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4136-50-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4460-214-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4812-142-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4812-222-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4892-139-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4892-127-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4892-216-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4932-213-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4932-115-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4932-114-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4932-107-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/5056-226-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5056-573-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5076-217-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5076-566-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5160-439-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5160-385-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5200-574-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5200-231-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5364-408-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5364-577-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5920-453-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5920-360-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6028-576-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6028-377-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download