982b11078870cebf5dca8c01abcbd677ae3503f8e42c4cc50ce063852f407e14

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/04/2024, 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
Size

3.1MB
MD5

63079a50c43de564a9e2e5a7ebc146e5
SHA1

73c7cebcb0b4b94615eec37a7a98302a4c594907
SHA256

982b11078870cebf5dca8c01abcbd677ae3503f8e42c4cc50ce063852f407e14
SHA512

b53f522c5efb90ccb3d3b085d9760656330cd9d5929123c783faedfe782ca8504863b4b5c1450772e4ac5b4a657b6ff52939875dc9a9de3c74012c7b70efd842
SSDEEP

49152:+w0rFYicKub64torDZg30AiShLtivJGHfAuOp6mSlFr6PTaaxid5/IbsT0:+LuxttZiShLtebmac0bs

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3148	alg.exe
380	DiagnosticsHub.StandardCollector.Service.exe
2176	fxssvc.exe
3708	elevation_service.exe
2264	elevation_service.exe
3176	maintenanceservice.exe
4264	msdtc.exe
4828	OSE.EXE
2628	PerceptionSimulationService.exe
3324	perfhost.exe
2492	locator.exe
3404	SensorDataService.exe
3300	snmptrap.exe
3556	spectrum.exe
1512	ssh-agent.exe
5380	TieringEngineService.exe
5576	AgentService.exe
5720	vds.exe
5804	vssvc.exe
5944	wbengine.exe
6088	WmiApSrv.exe
5176	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\60197fea2a644d7f.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{13D35E3E-D723-4ADE-A208-2AB0A3B02FDA}\chrome_installer.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009de2890e5387da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c34113105387da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007b8f7b0e5387da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f41ce0f5387da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000098bf4f0f5387da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fade10105387da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001cc95a105387da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000073aa7a0f5387da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000018d3ee105387da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000610f200f5387da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a885730f5387da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000d1b0c105387da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3648	chrome.exe
3648	chrome.exe
808	chrome.exe
808	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1284	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
Token: SeAuditPrivilege	2176	fxssvc.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeRestorePrivilege	5380	TieringEngineService.exe
Token: SeManageVolumePrivilege	5380	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5576	AgentService.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeBackupPrivilege	5804	vssvc.exe
Token: SeRestorePrivilege	5804	vssvc.exe
Token: SeAuditPrivilege	5804	vssvc.exe
Token: SeBackupPrivilege	5944	wbengine.exe
Token: SeRestorePrivilege	5944	wbengine.exe
Token: SeSecurityPrivilege	5944	wbengine.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: SeShutdownPrivilege	3648	chrome.exe
Token: SeCreatePagefilePrivilege	3648	chrome.exe
Token: 33	5176	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5176	SearchIndexer.exe
Token: SeShutdownPrivilege	3648	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3648	chrome.exe
3648	chrome.exe
3648	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 4192	1284	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe	86
PID 1284 wrote to memory of 4192	1284	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe	86
PID 1284 wrote to memory of 3648	1284	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe	88
PID 1284 wrote to memory of 3648	1284	2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe	88
PID 3648 wrote to memory of 2272	3648	chrome.exe	89
PID 3648 wrote to memory of 2272	3648	chrome.exe	89
PID 3648 wrote to memory of 1548	3648	chrome.exe	97
PID 3648 wrote to memory of 1548	3648	chrome.exe	97
PID 3648 wrote to memory of 1548	3648	chrome.exe	97
PID 3648 wrote to memory of 1548	3648	chrome.exe	97
PID 3648 wrote to memory of 1548	3648	chrome.exe	97
PID 3648 wrote to memory of 1548	3648	chrome.exe	97
PID 3648 wrote to memory of 1548	3648	chrome.exe	97
PID 3648 wrote to memory of 1548	3648	chrome.exe	97
PID 3648 wrote to memory of 1548	3648	chrome.exe	97
PID 3648 wrote to memory of 1548	3648	chrome.exe	97
PID 3648 wrote to memory of 1548	3648	chrome.exe	97
PID 3648 wrote to memory of 1548	3648	chrome.exe	97
PID 3648 wrote to memory of 1548	3648	chrome.exe	97
PID 3648 wrote to memory of 1548	3648	chrome.exe	97
PID 3648 wrote to memory of 1548	3648	chrome.exe	97
PID 3648 wrote to memory of 1548	3648	chrome.exe	97
PID 3648 wrote to memory of 1548	3648	chrome.exe	97
PID 3648 wrote to memory of 1548	3648	chrome.exe	97
PID 3648 wrote to memory of 1548	3648	chrome.exe	97
PID 3648 wrote to memory of 1548	3648	chrome.exe	97
PID 3648 wrote to memory of 1548	3648	chrome.exe	97
PID 3648 wrote to memory of 1548	3648	chrome.exe	97
PID 3648 wrote to memory of 1548	3648	chrome.exe	97
PID 3648 wrote to memory of 1548	3648	chrome.exe	97
PID 3648 wrote to memory of 1548	3648	chrome.exe	97
PID 3648 wrote to memory of 1548	3648	chrome.exe	97
PID 3648 wrote to memory of 1548	3648	chrome.exe	97
PID 3648 wrote to memory of 1548	3648	chrome.exe	97
PID 3648 wrote to memory of 1548	3648	chrome.exe	97
PID 3648 wrote to memory of 1548	3648	chrome.exe	97
PID 3648 wrote to memory of 1548	3648	chrome.exe	97
PID 3648 wrote to memory of 1548	3648	chrome.exe	97
PID 3648 wrote to memory of 1548	3648	chrome.exe	97
PID 3648 wrote to memory of 1548	3648	chrome.exe	97
PID 3648 wrote to memory of 1548	3648	chrome.exe	97
PID 3648 wrote to memory of 1548	3648	chrome.exe	97
PID 3648 wrote to memory of 1548	3648	chrome.exe	97
PID 3648 wrote to memory of 1548	3648	chrome.exe	97
PID 3648 wrote to memory of 4588	3648	chrome.exe	98
PID 3648 wrote to memory of 4588	3648	chrome.exe	98
PID 3648 wrote to memory of 4680	3648	chrome.exe	99
PID 3648 wrote to memory of 4680	3648	chrome.exe	99
PID 3648 wrote to memory of 4680	3648	chrome.exe	99
PID 3648 wrote to memory of 4680	3648	chrome.exe	99
PID 3648 wrote to memory of 4680	3648	chrome.exe	99
PID 3648 wrote to memory of 4680	3648	chrome.exe	99
PID 3648 wrote to memory of 4680	3648	chrome.exe	99
PID 3648 wrote to memory of 4680	3648	chrome.exe	99
PID 3648 wrote to memory of 4680	3648	chrome.exe	99
PID 3648 wrote to memory of 4680	3648	chrome.exe	99
PID 3648 wrote to memory of 4680	3648	chrome.exe	99
PID 3648 wrote to memory of 4680	3648	chrome.exe	99
PID 3648 wrote to memory of 4680	3648	chrome.exe	99
PID 3648 wrote to memory of 4680	3648	chrome.exe	99
PID 3648 wrote to memory of 4680	3648	chrome.exe	99
PID 3648 wrote to memory of 4680	3648	chrome.exe	99
PID 3648 wrote to memory of 4680	3648	chrome.exe	99
PID 3648 wrote to memory of 4680	3648	chrome.exe	99

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Users\Admin\AppData\Local\Temp\2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-05_63079a50c43de564a9e2e5a7ebc146e5_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=90.0.4430.212 --initial-client-data=0x2c8,0x2cc,0x2d8,0x2d4,0x2dc,0x14021b4e0,0x14021b4f0,0x14021b500
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:4192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3648
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd50169758,0x7ffd50169768,0x7ffd50169778
    3⤵
    PID:2272
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1900,i,11843622859233188646,4352221554364453173,131072 /prefetch:2
    3⤵
    PID:1548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1900,i,11843622859233188646,4352221554364453173,131072 /prefetch:8
    3⤵
    PID:4588
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1900,i,11843622859233188646,4352221554364453173,131072 /prefetch:8
    3⤵
    PID:4680
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2772 --field-trial-handle=1900,i,11843622859233188646,4352221554364453173,131072 /prefetch:1
    3⤵
    PID:4820
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2780 --field-trial-handle=1900,i,11843622859233188646,4352221554364453173,131072 /prefetch:1
    3⤵
    PID:1812
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4572 --field-trial-handle=1900,i,11843622859233188646,4352221554364453173,131072 /prefetch:1
    3⤵
    PID:4068
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4776 --field-trial-handle=1900,i,11843622859233188646,4352221554364453173,131072 /prefetch:8
    3⤵
    PID:3716
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4796 --field-trial-handle=1900,i,11843622859233188646,4352221554364453173,131072 /prefetch:8
    3⤵
    PID:944
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5216 --field-trial-handle=1900,i,11843622859233188646,4352221554364453173,131072 /prefetch:8
    3⤵
    PID:3804
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 --field-trial-handle=1900,i,11843622859233188646,4352221554364453173,131072 /prefetch:8
    3⤵
    PID:4812
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:724
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff60bde7688,0x7ff60bde7698,0x7ff60bde76a8
      4⤵
      PID:2488
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:5132
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff60bde7688,0x7ff60bde7698,0x7ff60bde76a8
        5⤵
        
        PID:5180
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 --field-trial-handle=1900,i,11843622859233188646,4352221554364453173,131072 /prefetch:8
    3⤵
    PID:5524
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2764 --field-trial-handle=1900,i,11843622859233188646,4352221554364453173,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:808

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3148

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:380

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2204

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3708

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2264

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3176

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4264

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4828

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2628

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3324

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2492

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3404

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3300

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3556

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5240

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5380

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5576

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5720

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5804

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5944

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:6088

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5176
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3008
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:3284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d3706dca07270ca1406fe8f6ce2f63a5

SHA1
9d706c4751c7e24da1f1a44841c1d3bea3e301f5

SHA256
61321d6aa24803126eab69b3a22090c0b7f9bb88e8711db295755a95925d239a

SHA512
3a03dd3bf915122ea2b50c223be0dd6a30197d6e7e43c35177c3ec1c3cce4faadc5080ffb8d502c21a2f0fcc92b9515ce84cb2dacb96aaab97151d234886ca3e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
6980b503425542108c455d96b73ba858

SHA1
4dd011872e03aff0b684096dfee7c7786b4c6df6

SHA256
8a6f14dcc49691fe2c8ff3beb2d30220eca3e38fad97186618266cd34a97120c

SHA512
3a7859f014a5dfbe68baa4ed2b77d85e68c0740132fd834c824fe84406169d8c09bdd1dd7e2cd74920c447989471ff9f0555083b9dc0062dbbf7081bff572950

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
664ab998b1f522d46415e7433bb463f1

SHA1
347ea2727513b07aa3b6d71f9b3cf2de477d3e2a

SHA256
db19a074a5a2a8e622b4cc37bdd12eeee3f3c2c0ec194b49c01742b045a765c8

SHA512
e9b3f33a02a99a5335e71ebe5eb622e0a1d51ee3cee786cd85e7bedd688f658aeb6a07204d6efe0e8b6a2c53c2e42db4530842b6afa814bd16536265f5a5198e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
c964f8450fba2e73f64108547fcd85bc

SHA1
a9db56183ca94871e6f94522564b55e3ecdb2429

SHA256
a8dcc9b87389747e754802764b15ea8c08c4625287291559e5470d51a56e966b

SHA512
428c2122916a8dd08b8f8e3b245d0ac4526d0813cd356fb45512068c0c6b0738519da02528161cae085db84179d4cdd4aae81999034f4e57d0bbf4d7e30010ef

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\ed43c20c-17af-4e2d-b03d-4f27409b98c3.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
b605879e08d2c37a89e0a7cf9cebb008

SHA1
547075286a6e5e6a304912cef29adf2a5379458d

SHA256
2a7688cdba662e4017878b44e559b7bf4889f2b32ff1c6ed70e020a2738e662a

SHA512
f18fb8e2df93b18cb2359c651e1dbbaf73225ff16912cec7dda24ef3e82d921690aa0690ca493375536159d8aa9ab660e45e2abe4cdbeaaa368f6f69bc090fe0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\2505284b-6526-441d-886f-a26df9b08173.tmp

Filesize
1KB

MD5
26aa82d74e593973ed66c15dd7939d50

SHA1
8207e2987a7e35e493afa58e72c59099c3a82701

SHA256
6f295946704546c4e20d5920afc748421d1132375124bf336bd287035c7fb70c

SHA512
69670f800eeb3db590c7900f8f4e2ce7557d901d3f86f637ff497501253c1461f6910cab88b7b7458185662fe0e7b86af7e76790e086dd11eb63656398e90380

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
a09b909c6b491da585dd008f2d4417c7

SHA1
9a81cd08a2932f66a0ad4dbb17e1076333327413

SHA256
846a38130fb82394eb9a1e7cc1e35e42e06e13e4e87d5a1204022a9e3d8dbf0c

SHA512
f1b44cdd9ffeed57cbbeb32b8127927f7d5cadbdf02e6efd1f75ca5bd6be368fedbd6be576af2189ffba3b02e0153b0fa730d4c2be40843cbdc3697f22f8378d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
e60f17a0865511e991bdfa5462d75520

SHA1
3caac22756102aeb344cc2d3ee84af7c40d22ca2

SHA256
6efa706d21b723414ae0391ee4d0d9de2f9898d64b85bb3871643c3d3a066026

SHA512
012dac1f93a29d3e948417bfa4fb1bf2b4b1675d88d5d713890553c6eb14e77e7909630daefb55596b3f850d9396814b8dac8b5866511e0277640b06c8f46724

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
dbace2dfcffcc87102736fb5256a5cda

SHA1
495c489556993c41611cd4d0e62753711dd3893f

SHA256
9e3f2e824af3dd8f53fc2df2cf0d9326ada06952dc0173d37c4ba72b37fb1b80

SHA512
d9ba1002500c745ddcd2b40cc9c5bf793e349e27c5734ad6a770693e93c276722cf09bfc35204b972993d0cd930b52ca74cc98acb629ffb2d0bff38406c6c4c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
ed4f25be81e4ff47141d3269d5a30d0d

SHA1
db701f3e20ec8e6c0b2849f420ce1c2d5bc65783

SHA256
490c29b987071e7a061fbf7b31c99faab281e169e5f4889f7a21a57a881688ef

SHA512
d04f7350f4dc6561102643589853980aefcc4cc8d39b29d9a87a5665183968fbe74ec4a7bd637a531f3a78c84681dcc4879099e28c7f348f7c9d0607ed22d75b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
4fd42a3df58368a238408942617a860f

SHA1
95f0326b4664ad98da19b2ce5f404cde68ef0cc3

SHA256
e36480ba7ff2d568de065045b814609062fef53e51c3a7a24afa111d3238ca5a

SHA512
fa7a8caf2232f5bd10d30b029fff59eb09e8f24f275dc0f7223782918579f94e3c3ce10c1eb2d2be5648c891d79b66a7bfbc89fb2465e6adbdf74763bf4a5d52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57fc80.TMP

Filesize
2KB

MD5
ef3aac392c0d75f931c89cbb67985e0f

SHA1
ce61a9a0890645f7551e4188f0dc09b324f56b63

SHA256
474bd435e067162d7364e95374e0fc4f6be9ea3202017cdb1eb05a7876f254ec

SHA512
22f026e8146699fdd24911bff6f5cfc0ea1cc131bd378e973e8fca5fc479c8eda9764b7a3a1acd9bbcf6f6cfab8763c04fe6c9a56e1b8e9ffd6316ed11c34703

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
b8289bd27c490bd45a08418d61ddf663

SHA1
5cac500783187f16493f2175ff8b28acc1f1f05d

SHA256
e177aad8e465e7380f7d42f00b24c7a28705c590bacd5d5bd17a965c2b8a31d3

SHA512
c1b55ccae5ed113ef5314ced04b9916b60f32d2cd36c7877836313225279f115ec8f3fe0a8ba242a1e947be6fcabb22d98e34888c6bb9c5c37f2acc461df054a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
5f91ae6875393b7cffaf44826aeacbb0

SHA1
383afa385b7eaedc4d53b8ef159d5753eb33eb34

SHA256
c51aa3c92dc1768f044d4b0981372c72154d2bf0e82d3e72ca0924bbb4a34496

SHA512
5301af512a5b4e361f4ba0ac7509d929a9f3c31b07e028213d0ce5ea2e4621299c314f1edcbd6e8f7efc7c0af5f8bb26033511bce6a670e329f277f930330b46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
dcbcb493ca61c477bcaaf22bcd8fe4a2

SHA1
d403f0eddfd2ee226cd6ef1962b39047b1c7c526

SHA256
dc0b575ff0fc506b62c70d1e433820b62a6928ac99a20a598dc56fe70added2d

SHA512
7da30b3e1fbc6115836f2cd73c3e63046c37c9ca2168884143fa72b2bc4811662824f4d4043564663eedd41064e779e9d2ac65cf4b4f313afefa72c8c55b063a

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
e4cf9b4136d1a42d0f4639838d5ed32d

SHA1
9abc2386451be64ed14a980b9e678db7b5e9c4ef

SHA256
1a862935b4e0ae25be152a8006a6bd849c5c30bd711d6296ceb5248dc2d16c90

SHA512
9c73c612599e08804e5ff93eaaf0590b78fa24cb051627f693c9f478590d74a195e07495eda497f71ea1d5bd3979ce72f534e016dcdc4bb803c06dd63cf3a168

Download Submit
C:\Users\Admin\AppData\Roaming\60197fea2a644d7f.bin

Filesize
12KB

MD5
d02c7802f72a2a37dd582904089fd770

SHA1
742e83c0b417cd385e48c9cf3d4cb6784d08e37c

SHA256
6886d1bfcbd76c9faec8f3b32c6fced8947d0938174b3a618774960d1ba357da

SHA512
eb59f07c8cfd06ca99202ad5b4af312710fc2046c36946877ccd025661a1a491a036db612ac2d67c17b113239f73594105e4ae75b26c8155f298527b565a69da

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
0aab95ffb181f9dc377216c84f426b8e

SHA1
edbd0511ae7066e09f26aee2ca8372c2594de0cb

SHA256
bec8293a620ad6018bf512cb0d8d69bd7bd442303cf22958f5939e400bd88fe1

SHA512
8f1db759cc7e79ad1e7362c12da0ccc3127baec5d083520b898bcb456d0f946eee62ec63ec0442eca4e573543574727c1d1021a3296da692087c5f11ca922596

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
25bc84583b1e2b9599dc910b4bb79293

SHA1
e20c83dcc508960cc2dece53bb9167ec39b6faa7

SHA256
9367f11202726751e8c6620e71070e6787557b18e9d40e3032d50aae224e17c2

SHA512
f11761889b9f0d123c0f2c7af1d958c52c00907505137abc22e359d69dfc164dcd1df35e846989c220b52a4c7308e53c999021200d0534d7d7fc7dbc7d6fb2e8

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
de520c07883caa0aab5d96cc61781fb9

SHA1
8413428f911cb9d6edcc800caa3691186014bb97

SHA256
cb8eb0e889f452eff6e09b176fce66a15bc7a3123d29e256d3ab918ee9e6e56b

SHA512
58630e3c676c4b6c01d7ba7ccc2294f70f1f33571aa459657a24c4c04e0006eddd8de44a8758e0cd32003dbadd13a02919ccaf114f63fedbb02b9b3d0ab80b9a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d27b8ee1afa257ef4e99644cdf46a14f

SHA1
2955fe01d4d18519d539db6ddac51f9433d0e70d

SHA256
e8842dc408a9a4c7205b9a7a35f0f4ab92c33f712945da1066113493b089cfcd

SHA512
e1c943ff9ea6d2aa4f076b3ce2bd028229ca72b09b12f5310e9e4e13cc31ddc8e7075a97f886de9cd693feb65cf74574d432f1103e580d0561792a6d377e2a70

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
2cad26d526ae7ae8133176a175f45b99

SHA1
cbab64a6978b1eb8e695f69bc5894d3de9162ff2

SHA256
b4a3c19b053492a02f44b5397e3c6167bfdd13e6eafa5ba7c7bd2eed6e1404c9

SHA512
910ab8aba185ee58bb3c20d27143d292131c46762480a462d107d198113af5674b11bf0089ab76cab5574c2b017a93770d80c4fd5bdf9412c5b99df90add9ffa

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
1065581a4881265eae3521077d9d0269

SHA1
2b50e2abb07fb754f8ad34be2979ffaef21ec881

SHA256
c91c86fd2815b5b873f1fea35212a5e7c1e5827ec211333747125123d0bab7ed

SHA512
501c1f3c0aa5258f881aa4125b657e017227201b15602db3cef3f668949711ebed554f88c03283be4982c205f469285ede9dfec780a1529ae474413f3946878d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
bedba6f8c880881a5d44661712fd983b

SHA1
2bd67b19c329f02b432f98fe0ce100456b7fc03a

SHA256
de8daf0b21fb3c0e26b38c7a6613cd884e789c6f3b77e75f3529d16baecda1a3

SHA512
a02dec62e70bf66e92db114a1d1c1215699433c8e6ae60e2277b67abc28a8d3532c527fe3133ddc6f8b66b2f0b5ba3fec169678d62cc7ae37ae88be85e5acffb

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b6614fe11c545b2fbb35556337832cf2

SHA1
73f1c8945d1f78bb877c427ee3802b9de64d5d6c

SHA256
44d1907c4be77206f385a677c821eb5520a5852ef93e40b7e18964a434f48587

SHA512
3c5c0c07d5c75d0998f5552dedc356aba104330761214288e1cd5622cf2e10148e42a78ae1fa3a3f07b96b47f8c15e3612e90bd1a5b8bf552df731064628fc19

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1e99e6088846075ab74505d86b1b8011

SHA1
26b1ecaf8f4ba520d2842fd0112b6cd8b34b573e

SHA256
c6d73ba037af65bd7ca055553230685563e6a0947092eccbbdde2bfc27854eb4

SHA512
08fe8dffc9cac589dbd9897a2c81613109b7bc23c977f9845de321dd7d273c3271965cd3beed0db7d0951fbedc10347c8418478d055ee284fe73eea1061b45d7

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c6a8c3e1731c4db57a19d6e0b9863fa3

SHA1
f3f91a6044ef680f478602f9d451227291f8a0fb

SHA256
8db4c95dbfa94c35a3fdb094bca95a0d1c3b33eaba884c377841fc579dfa85ed

SHA512
85efd57a68e9827e5b3056549116f6530900e97a4ac3a290dda7f2c86e4285569d6ed6918eeb5ec4fef657313053265ccba1af364033895b4475f00131932039

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
3166929c98cac537d5fde0fd9b87feae

SHA1
73999ad1499b73154e881a655395253ba83e8183

SHA256
396fdaec6533ad171d9e47e8b957fc03cd5d56b1322ab412ffe0c22e4dbbd969

SHA512
4d6d3f0bae2054ba28ec745e2552b44dc5e7ad612bf41366b31e004f89359607bcde94e3ec35739caa3137d4f826353858b47fe4913348a78359bae382fa65e9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3d8745774ee9e15972fab3cff9613e05

SHA1
288460ec2ecff132c12af4ff1cb770ff05600135

SHA256
338820d83470b8a4de26912fce9595b03af58c7bc719925b537b295cbd13919d

SHA512
74f72c78ce0481dba7eab9afa24422f617bb8562f9538725b20555191194342c6c156c187fa918c46f504f8eb84895d2bc9505cad24e4e15ee0738a7d529cc96

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
20ac4eb2373c854a20e52972ac68d6ae

SHA1
b0d27ff9fd9902662c5a45f1863b8faca15c2c81

SHA256
6167b7a7bb5510e47d378c88fd55aa7b3bf1d91e13c4ba7a5fe53fe63d1e75d6

SHA512
10ee2c1da420ec56e9b6537013a71b285bef954f3411175ca0640a11c65b3d7348b2a74ddb74625577742b8419e87af74ff8a93c45204326eaaddd68cb01a81b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
0c38636ee40963bc3ebd3aadf3211ad7

SHA1
e1f66977eeef3893cddcc62721981fe04ac84778

SHA256
555cef4869cef9e4f6525cf8dcd4ffca3ade9e5c305a8d260d2f4ae4c00f825b

SHA512
358e612cae9131a63f031406929d6e082781e016f2969c5ce32282afe58cb19d3414caa7a7bd1536ebcd105b092a4d550ae121d673880d55ab5073926e3cff2d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
4c63eacfa2cfe6367a8ebab562090666

SHA1
15b9a7aa0ff97508917e0c721cf954543abab4fd

SHA256
7c7a23335ee10ab1c1b309904e8ee501f1ba67a2848e96caf9190974be5d1913

SHA512
3af02c96c89172aea259bd086c8272a3c680012b7c87640b815f008a4f380da1e932cc04c6b70136ecb551be40360756707aebba5fa6a3ccc89c3ca6c06a36ea

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0112f708cbeb340ea913ada1fd9f1e00

SHA1
a12dd39c511cdbd700b153759afcf2a3ddb843b3

SHA256
086a2eb3bc5abf347df6a7363302a49a8fba34d3c85595d2e2740850d3b4d4a8

SHA512
64fbbaee5af2ea3720f60394bb7c4576e5c762c998fb6a5311a62fc265ccf82dca21b0a8b30a0e559329356a63944895b49f6caed6ff67ffdb48b76d75bc84fd

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
d5ee75dce77e4af097c7e3d685620d94

SHA1
b6a242ee07f165bcf5d239e376437a42d38ae2bf

SHA256
6252dd23dfa0685ed26d0212848de99c656737398fac5e4c31609d95b3bcd030

SHA512
4e398516b02b5a1078ba34031a4d246f023f9ac5a811a272ede4e3aa1c07609aed8e4db707d8c0692eb9942f03b489b6dbb4515ef78667866ed33f9fe12a31c6

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5d8be439300e40669e7016a2cff7919e

SHA1
922c3cfe6946598b4979dc76761b1e62b059513d

SHA256
dd3f2377459731252a30e420dd24a0270f434336d9622887909e36ece3487771

SHA512
df6c8be376ffcf92d85fecffe553b15b4fa2703a05b33f7111226a64be1a2c64f7c5536abbaa34c0117eac5593155f5913b09c859fe690e7751faa979372159a

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
7806f070ee1bf48d945790a0c2a61355

SHA1
cd3804e5db65628f5a3c0a8accbcb6d10544280c

SHA256
6520df12afb6e96315f15e8777e8deeb8b25d5ac72136065c7d5accda00cd895

SHA512
c1c368d258f84828a08885a6c25894d96da5f1bdb66ae2828bf764213827289c4df027188338fede003a59c8bcdf64ab3eaceb0d20e62c8ec8620c921901c7bc

Download Submit
memory/380-51-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/380-131-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/380-45-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/380-44-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1284-0-0x0000000140000000-0x0000000140333000-memory.dmp

Filesize
3.2MB

Download
memory/1284-1-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1284-7-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1284-35-0x0000000140000000-0x0000000140333000-memory.dmp

Filesize
3.2MB

Download
memory/1284-30-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1512-272-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1512-252-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/1512-350-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/2176-56-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2176-57-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2176-64-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2176-74-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2176-77-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2264-86-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2264-179-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2264-92-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2264-83-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2492-183-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2492-191-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2492-283-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2628-165-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2628-172-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/2628-241-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2628-250-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/3148-18-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3148-32-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3148-17-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3148-91-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3176-110-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/3176-112-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3176-132-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/3176-129-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3176-124-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3300-211-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3300-226-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/3300-324-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3324-180-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3324-269-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3404-205-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3404-307-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3404-195-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3556-229-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3556-337-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3556-244-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3708-79-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3708-119-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3708-68-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3708-121-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4192-84-0x0000000140000000-0x0000000140333000-memory.dmp

Filesize
3.2MB

Download
memory/4192-11-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4192-22-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4192-13-0x0000000140000000-0x0000000140333000-memory.dmp

Filesize
3.2MB

Download
memory/4264-134-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/4264-203-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/4264-143-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4828-149-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4828-224-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4828-156-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/5176-377-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5380-294-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/5380-285-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/5380-364-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/5576-321-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5576-309-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5576-316-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/5576-322-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/5720-333-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/5720-325-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5804-346-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/5804-338-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5944-359-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/5944-351-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/6088-367-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/6088-373-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download