68e3e732019b48203715fa1a3bc05c4ee592e6e902cc0c57382a48b38afe0501

Analysis

max time kernel
169s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
Size

691KB
MD5

f1a9847484806401ae1bcb5849f94607
SHA1

2ff5f5ab4d5a42d221d9e36e779aee66bb9e51e7
SHA256

68e3e732019b48203715fa1a3bc05c4ee592e6e902cc0c57382a48b38afe0501
SHA512

0db2749e07b2ddb533e4fb61240aceabd6d1ee0a25802b3cdb5d53fcf49cfef4ec16f8a5a01ffc827cd16f709784c797214cc00915006aa70ecd5d6d5f89db37
SSDEEP

12288:4racl3u3JW2gh92q5H8k/jLUKciwGEBg/jKypVrtvzESII:aaclkJW2Q2tA+Bg/jNRV

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2324	alg.exe
4536	DiagnosticsHub.StandardCollector.Service.exe
4288	fxssvc.exe
4212	elevation_service.exe
1584	elevation_service.exe
5044	maintenanceservice.exe
3824	msdtc.exe
3944	OSE.EXE
2808	PerceptionSimulationService.exe
1264	perfhost.exe
2644	locator.exe
2176	SensorDataService.exe
4240	snmptrap.exe
4572	spectrum.exe
5068	ssh-agent.exe
3312	TieringEngineService.exe
2064	AgentService.exe
4820	vds.exe
1624	vssvc.exe
4388	wbengine.exe
1568	WmiApSrv.exe
3044	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\cf31b5cdd8c8c63e.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{ACF4DFE6-B01C-48BC-BE56-4034216BC3BD}\chrome_installer.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_112359\java.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003094da5e8d74da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000088262d608d74da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000321b4618d74da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000072a3b5628d74da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a355444e8d74da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005be999618d74da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006580c75e8d74da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000556cd35e8d74da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000711f2a4e8d74da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
Token: SeAuditPrivilege	4288	fxssvc.exe
Token: SeRestorePrivilege	3312	TieringEngineService.exe
Token: SeManageVolumePrivilege	3312	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2064	AgentService.exe
Token: SeBackupPrivilege	1624	vssvc.exe
Token: SeRestorePrivilege	1624	vssvc.exe
Token: SeAuditPrivilege	1624	vssvc.exe
Token: SeBackupPrivilege	4388	wbengine.exe
Token: SeRestorePrivilege	4388	wbengine.exe
Token: SeSecurityPrivilege	4388	wbengine.exe
Token: 33	3044	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3044	SearchIndexer.exe
Token: SeDebugPrivilege	856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
Token: SeDebugPrivilege	856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
Token: SeDebugPrivilege	856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
Token: SeDebugPrivilege	856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
Token: SeDebugPrivilege	856	2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 1128	3044	SearchIndexer.exe	126
PID 3044 wrote to memory of 1128	3044	SearchIndexer.exe	126
PID 3044 wrote to memory of 1720	3044	SearchIndexer.exe	127
PID 3044 wrote to memory of 1720	3044	SearchIndexer.exe	127

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-12_f1a9847484806401ae1bcb5849f94607_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2324

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3608

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4288

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4212

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1584

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5044

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3824

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3944

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2808

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1264

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2644

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2176

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4240

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4572

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1756

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3312

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4820

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1568

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1128
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
3f08cf219e38d0e6e99658a21fc97eeb

SHA1
56ce1d1f3c965fbcdd2d902f1d3165c39bf0d389

SHA256
5c9f013a7956f51e980e2304f996787e24c02a7a54c5d768bf1f8ece0d0fad3b

SHA512
18882453b9b3928585592b7a537122ae249fcfe6a260f340e637b64579f88706b1482116ae8b4989922a71817ee5b25218a679947b29f873dce3fdcd98cab9f6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
3fe6c58fc673b66118fa78b4217b72f5

SHA1
edf3ad9fc4764fb8b610d15398594581a6c8991d

SHA256
e802cf9e201567c6ff6769364cb76f897ce05b13b7e04ed7c055c3271d9e26bf

SHA512
24cc4085f78af012ff18178aecc52ffad1e7a14eeba84134391fbf77a9d099931329a9170aad48d4008908e8045299925d25c4af8edb4df6f5e5691864aa66db

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
a38846279468cff3f066801cffd35a58

SHA1
fa9fe8fe345930802d8690fae56ccbfb086cecdc

SHA256
8e858da4a8924ffb59dbde9f485b6bdcf1822b4cda3f3db93700aa091afd5a6b

SHA512
ed399382693cfe739aec20eaa7f58a4f2fef549bece56826dc7dbd677daede45cd157f059f828c76121c1fa480fbd8db374d1857e0e9d3921a9970b160e3d2ae

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
3bcf9fb1b7e8d329bb91ec1b712d0cfc

SHA1
4cd4e51d92850ffec226eb94315aa9913b745f67

SHA256
752a36a49983b0b7645194876bb7ad99fc6c2d59a607603c0ddbb816b7ba743a

SHA512
a1abf63750e0fc01c687b2428893f8f1dd388d310f1b4f320d42faf18cd08565a7906425685778bff5ebbe2f635eb8b778e4d85fd279d6952f37469e72cafd3d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
a7ac6dbe143ec7e5b2038b93ba0e4aae

SHA1
b30a6091c340b99471a742874e044d5f88dbad42

SHA256
b0af6dbf937089a50155bddb600d59fe45808d462638a7603ce9528509c018e1

SHA512
124e075991a4857b5002e3d6824620ed1bbe6104fe7492138c47e577dd83228f7bc660b843633e794363e1f71e3e13d175012ace7149c6d3668f1cee12602559

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
883KB

MD5
67222f9795fdcc07b6561351d7abdcaf

SHA1
171ae284b7718da2c3bd56a1df6d1e4ee5e85b57

SHA256
0d51788a1bfb54069c43c98f84a7ad1720595284d619a1519624378121cd4d02

SHA512
960e16e3cef42547459b01a1a83ba36370d0d4aa81a0282d80a3d9daff9c98f64e205ea4420b21167bb0d774fc0bf59b5b5b2fbb4b5edb8fcc678108ed7ba107

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
768e8cb39b55892e3cb1dbd607a0796c

SHA1
e604c7bb209df016f162752046b174ef6b14e572

SHA256
d372177f098ddd932ad8080feb711b41a13773405432ecf7d9d3ca2cb1a11bf1

SHA512
381a7d89d6c9df102fc6a6fed12c0ebff649952e79c967fb186d5b0e3925fe1cd32ed67b9078556f548d49427f01cac08da2bef7d08c401ce4e8f0e82d7c30b5

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0ca499b36b7d15f5b0965b13b83339df

SHA1
11f3df6e6d2d48ea7bf80f0d878b2b94c34489ec

SHA256
7f268470d0ca5f02eb03126008f57e927fe5af84e9d98f25a30f77e1d406753d

SHA512
8341d735a6bf017704ac21c903e207e6712ddc06e2ae6e15f063c179bd9ebed51c268740d28adcb016bbee893d8a0dec183856e80da516079608f1dbc24f62ea

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
15a1f9f302cbb32c72e2de135f5b026f

SHA1
8e6928c047b4865ca1654c437f58884d8c191122

SHA256
0fea02284660b2188650c914c421964124321914c9299bc16bfc36007065e32a

SHA512
dd1fccdb74034f04c8bb05f76f5e6baf07acf4f24d469ea3933a649d6476d714006339379452899b67727533477c8f72b829a95a1fe61b33d7de47c2de50aa3e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
8e0b7bdfb1887876aada19d87ba368d3

SHA1
e8dfe002ebb29eb468d71aa6424e123eab3b3957

SHA256
babeb83c4dad0264b36086ded6d49f122334477c9fdae726c10a9d29ba9dfdec

SHA512
5e394d2d5d6a9817a18c8cabd45d020652101851d56492f7d872fd228c051c79b7f5a6225788caef8b550d70b8f5285bd5b5fab8ba1b2636f25f1d89345a8b26

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
e1ed9048da0e72a31dbc20c377e49b34

SHA1
23e2495635d72be00b398a511ec004c833b76211

SHA256
d8d514e52417c5bd22b1772b4606d4a9e7d2c0591a84af58a848c4fb970a9104

SHA512
e1405d1dc535574014a93020cc478f6d242facd52aad5898bb23be5eec2ab8e7cc4c51e23e602dc25f3dc902d6a7775440d07d2fef19cb5d3364b22bdb267f08

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
83b7d11435e10351e96ee9c2414f074e

SHA1
7a33f3788f222d91f315165f0bc4780dcddf3a3a

SHA256
a209828835255de1f3f0a21d2729a84f7e822f3197053af9bcc17afa68d0d035

SHA512
7eca2921e5ceddc315c400689b63d5df2b4f1d6fbed814cb632236dfddd3e8ba561f31aa28b5dbcdab8307e65e46367ab10c0054fe9f2852b6fe48a01d801c9a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
34d5e4e74013d9ebb816450eb67c37c9

SHA1
ad81b4ebd6206a2aa89e3cb6ee75485c81278d7e

SHA256
4b912e980bd49f66067826c81560d5ae7f36e93f147c7d92c110a325266d1266

SHA512
93a289c1bf4aefabf304bdd5317c69feb5a144d8fd402d92fef013722ed1007865102300b0760c760f77cac60b0a263025487aacad96f29a3682812762775ffd

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a716332020c17e1d326c70a556aec022

SHA1
e188f22483e00527736ca2447e0c9cbece8a4233

SHA256
b6502d7bad8b94d6cf6f384dc86d20ecd83b99a98db1fc196ca2556d3c11e5cf

SHA512
4c406fc48df114a324a4550563eebb74b4810b56e0bfcd4e55d4fc22c04a1dd1fecb8dfd997e626dd9dad1ae4cc2992a9d74ddcba03bf921a9c190f829d17f3d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
c62ba79c8815a0d5d0feb5d350da7c2e

SHA1
d1780e58e585fcf26e9f9cac2f6bccc080cd50e7

SHA256
397f0d856d2ae2e19e4319f935e8b94feec154398ffc67761a3fb08a7c17dd85

SHA512
1d784ae8250052b48346cd7deacb7208cc52f294c36f2129d9c3787ad93cb8859a6e99e9327e0055dbfd9b595d3fed7b59043f580cdb085deac504ec752f408c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
6d77b327f1a588cec662df68bcfbd618

SHA1
3c7180e1df43e9c2f022a4c19b9574154bd5c714

SHA256
47201b87bc99b6112298dff7e60326e055090bf69a6217b4a79ef000cf297238

SHA512
236b9e7388273a6edd435d5d7e93a5f4831ec2a4d7443c5cbf48afe311c2a0345ab170090229a18a0801957dbde86b5abfe35b3e2fc2209c41193a7207f14a35

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
a5fc694b44ebc0d10b76301eaab99ae5

SHA1
3142d5b3f2eabcea5de625367ff5e9e68a15eaae

SHA256
0e9e44bb23744f7e987ef80de5ba3bb6466333b9d2d0ad1f743c74c99697c110

SHA512
0fb780885645f2b3bc9f6383244c16fe484ddb1f66cedfc75b64c2082989a58d4dc4403b69de564b4f04730db7e7df1fd4375ad360ffc09749c4f3fe43cfc7f8

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
00a3cc25487c33f1348059b69c7a3f4c

SHA1
b27eb2fa01cac36c9b14cb914c5ab7b4ae0adea1

SHA256
69979289e797ff4464882b926b8079a90e643ebbf9f17c88a6656d7822593c2c

SHA512
7bfccf3d2d2779c4dbe2ee2926da7dee4fd08565e8561dc40217f798fde34e68a5ffcda837c54bd1b74400894bc78e5d48cf6b9c7f6cbd0af89f38793b45297b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
e1ddfc559cc2a0df2f2de94f53a6756c

SHA1
d1da515043f886cd1c846bff91c4daf2f10d06b5

SHA256
85682affcd5ca9d7bb044ebcc966ed4a75ab8b36eb5c94950f314713477cc6c2

SHA512
33dcd26c16fde7b28558ae1d203c15f2aaab32100572dbd65afa4f8084d5518876cb37731b4daac8c42be5a002825fd39e09d960b9a14cfaf9dcb2cb622ba2ee

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
80cd8255eaf36dc0fff938670bb486cb

SHA1
57090dad1c6e1e9261b7f6c2294d54c8bad9ce39

SHA256
7939d3e877eb937824b6193d1d57276efc7918b55db61950b477ed48790dc94d

SHA512
0746913437451e753d16fe0427042168d867f392e261d4ccd7be8120f4fa47c607f1bd74af73ac23df276576e1f28303e5e2372486f456139a4d7d74cb40fc10

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
fee82bb9881583313c2bdb383c24b6e2

SHA1
46dbea09838352ae9c61d6b1ff406c899627800a

SHA256
c02caf8a97aaf55fa4b18e071e67a3498d8c788dc39601fc8070b5ca583ea237

SHA512
787896e6f48645264406d3c25d74cdac9c9bff7ca584945f69197b2bc9ceed6292a53c96d11dabd5cca9af5ab15f1a31b4c26c45d016e519867db1029d560433

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a9b2f1d1dd72f59df8471e229a21f008

SHA1
2c73d321ff82f13ec98d75f6fce45400b0c90713

SHA256
561e3349cbf6f1ce30d844caa9273358e2ac8861ad33dac9af56b8d9b741cf44

SHA512
621b5e8373d398a5f884c37b4d495b403bfed57ef70fe00ab7093a2f8d4d0e4383d239d345bbeecf88728e02e3c895b314e86bf1b6b9f56d289a40bf61e8a4fd

Download Submit
memory/856-7-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/856-47-0x0000000140000000-0x00000001400B3000-memory.dmp

Filesize
716KB

Download
memory/856-0-0x0000000140000000-0x00000001400B3000-memory.dmp

Filesize
716KB

Download
memory/856-8-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/856-1-0x0000000000180000-0x00000000001E0000-memory.dmp

Filesize
384KB

Download
memory/1264-193-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1264-136-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1568-285-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/1568-277-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1584-65-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1584-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1584-72-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1584-135-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1624-251-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1624-259-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2064-222-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2064-239-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/2064-236-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2064-230-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/2176-219-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2176-154-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2176-289-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2176-290-0x00000000005F0000-0x0000000000650000-memory.dmp

Filesize
384KB

Download
memory/2176-159-0x00000000005F0000-0x0000000000650000-memory.dmp

Filesize
384KB

Download
memory/2176-229-0x00000000005F0000-0x0000000000650000-memory.dmp

Filesize
384KB

Download
memory/2324-76-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2324-20-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2324-14-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2324-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2644-203-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2644-139-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2644-147-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2808-178-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2808-186-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/2808-125-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2808-131-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/3312-215-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/3312-207-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3312-273-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3824-95-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/3824-102-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/3824-152-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3824-94-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3944-108-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3944-165-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3944-115-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/4212-60-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4212-51-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4212-122-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4212-50-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4240-174-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4240-168-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4240-237-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4288-45-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4288-56-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4288-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4288-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4288-39-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4388-266-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4388-274-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/4536-93-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4536-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4536-34-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4536-27-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4572-250-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4572-188-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/4572-180-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4820-295-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4820-240-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4820-247-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/5044-77-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/5044-85-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/5044-79-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/5044-88-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/5044-91-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/5068-194-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5068-204-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/5068-262-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download