66d9a30d9703ca0b3e3d845fa5ea63a3afa3e27f0a10c41aa2f9ddfdda38f8e3

Analysis

max time kernel
164s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
Size

4.6MB
MD5

b601a24f132be8175e18eec1617d5c65
SHA1

7d1ad0ff55a645757df40e98d6a40aca259013af
SHA256

66d9a30d9703ca0b3e3d845fa5ea63a3afa3e27f0a10c41aa2f9ddfdda38f8e3
SHA512

e7578c9391f9dfdb99eec034d87857bb50de31f9b455a18b6207274a8ca59d9de1732265de491ec7bedadf7b943b3de47dcb201307325c6485219a1c18af437a
SSDEEP

49152:QrB927JqNYVZ5bW2QNh7GgfUofmlh5Evno2Hr9M/EN/qrlq3S+okgvTTl87ePjLr:Sjr/LqgfUJcta/Cw+PB2Yyjl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 21 IoCs

pid	Process
1380	DiagnosticsHub.StandardCollector.Service.exe
2060	fxssvc.exe
2216	elevation_service.exe
5028	elevation_service.exe
2856	maintenanceservice.exe
4716	msdtc.exe
1948	OSE.EXE
1616	PerceptionSimulationService.exe
2908	perfhost.exe
5184	locator.exe
5232	SensorDataService.exe
5304	snmptrap.exe
5364	spectrum.exe
5528	ssh-agent.exe
5692	TieringEngineService.exe
5748	AgentService.exe
5796	vds.exe
5836	vssvc.exe
5884	wbengine.exe
5984	WmiApSrv.exe
6048	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\bcfd2c111012279b.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{6AEAB9F0-2C27-4050-8B43-593439D6A280}\chrome_installer.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000092719effd490da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133578383126949731"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b4185a21d590da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000065f95e21d590da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed191c21d590da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a12d4e21d590da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003c3e6121d590da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000affc88ffd490da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000050f23321d590da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e6aae720d590da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000202752ffd490da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a01a3b21d590da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3240	chrome.exe
3240	chrome.exe
5996	chrome.exe
5996	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4352	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeAuditPrivilege	2060	fxssvc.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeRestorePrivilege	5692	TieringEngineService.exe
Token: SeManageVolumePrivilege	5692	TieringEngineService.exe
Token: SeShutdownPrivilege	3240	chrome.exe
Token: SeCreatePagefilePrivilege	3240	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	5748	AgentService.exe
Token: SeShutdownPrivilege	3240	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3240	chrome.exe
3240	chrome.exe
3240	chrome.exe
1164	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4352 wrote to memory of 4868	4352	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe	86
PID 4352 wrote to memory of 4868	4352	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe	86
PID 4352 wrote to memory of 3240	4352	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe	87
PID 4352 wrote to memory of 3240	4352	2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe	87
PID 3240 wrote to memory of 4648	3240	chrome.exe	88
PID 3240 wrote to memory of 4648	3240	chrome.exe	88
PID 3240 wrote to memory of 1456	3240	chrome.exe	89
PID 3240 wrote to memory of 1456	3240	chrome.exe	89
PID 3240 wrote to memory of 1456	3240	chrome.exe	89
PID 3240 wrote to memory of 1456	3240	chrome.exe	89
PID 3240 wrote to memory of 1456	3240	chrome.exe	89
PID 3240 wrote to memory of 1456	3240	chrome.exe	89
PID 3240 wrote to memory of 1456	3240	chrome.exe	89
PID 3240 wrote to memory of 1456	3240	chrome.exe	89
PID 3240 wrote to memory of 1456	3240	chrome.exe	89
PID 3240 wrote to memory of 1456	3240	chrome.exe	89
PID 3240 wrote to memory of 1456	3240	chrome.exe	89
PID 3240 wrote to memory of 1456	3240	chrome.exe	89
PID 3240 wrote to memory of 1456	3240	chrome.exe	89
PID 3240 wrote to memory of 1456	3240	chrome.exe	89
PID 3240 wrote to memory of 1456	3240	chrome.exe	89
PID 3240 wrote to memory of 1456	3240	chrome.exe	89
PID 3240 wrote to memory of 1456	3240	chrome.exe	89
PID 3240 wrote to memory of 1456	3240	chrome.exe	89
PID 3240 wrote to memory of 1456	3240	chrome.exe	89
PID 3240 wrote to memory of 1456	3240	chrome.exe	89
PID 3240 wrote to memory of 1456	3240	chrome.exe	89
PID 3240 wrote to memory of 1456	3240	chrome.exe	89
PID 3240 wrote to memory of 1456	3240	chrome.exe	89
PID 3240 wrote to memory of 1456	3240	chrome.exe	89
PID 3240 wrote to memory of 1456	3240	chrome.exe	89
PID 3240 wrote to memory of 1456	3240	chrome.exe	89
PID 3240 wrote to memory of 1456	3240	chrome.exe	89
PID 3240 wrote to memory of 1456	3240	chrome.exe	89
PID 3240 wrote to memory of 1456	3240	chrome.exe	89
PID 3240 wrote to memory of 1456	3240	chrome.exe	89
PID 3240 wrote to memory of 1456	3240	chrome.exe	89
PID 3240 wrote to memory of 4480	3240	chrome.exe	90
PID 3240 wrote to memory of 4480	3240	chrome.exe	90
PID 3240 wrote to memory of 1152	3240	chrome.exe	91
PID 3240 wrote to memory of 1152	3240	chrome.exe	91
PID 3240 wrote to memory of 1152	3240	chrome.exe	91
PID 3240 wrote to memory of 1152	3240	chrome.exe	91
PID 3240 wrote to memory of 1152	3240	chrome.exe	91
PID 3240 wrote to memory of 1152	3240	chrome.exe	91
PID 3240 wrote to memory of 1152	3240	chrome.exe	91
PID 3240 wrote to memory of 1152	3240	chrome.exe	91
PID 3240 wrote to memory of 1152	3240	chrome.exe	91
PID 3240 wrote to memory of 1152	3240	chrome.exe	91
PID 3240 wrote to memory of 1152	3240	chrome.exe	91
PID 3240 wrote to memory of 1152	3240	chrome.exe	91
PID 3240 wrote to memory of 1152	3240	chrome.exe	91
PID 3240 wrote to memory of 1152	3240	chrome.exe	91
PID 3240 wrote to memory of 1152	3240	chrome.exe	91
PID 3240 wrote to memory of 1152	3240	chrome.exe	91
PID 3240 wrote to memory of 1152	3240	chrome.exe	91
PID 3240 wrote to memory of 1152	3240	chrome.exe	91
PID 3240 wrote to memory of 1152	3240	chrome.exe	91
PID 3240 wrote to memory of 1152	3240	chrome.exe	91
PID 3240 wrote to memory of 1152	3240	chrome.exe	91
PID 3240 wrote to memory of 1152	3240	chrome.exe	91
PID 3240 wrote to memory of 1152	3240	chrome.exe	91
PID 3240 wrote to memory of 1152	3240	chrome.exe	91
PID 3240 wrote to memory of 1152	3240	chrome.exe	91

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4352
- C:\Users\Admin\AppData\Local\Temp\2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-17_b601a24f132be8175e18eec1617d5c65_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.61 --initial-client-data=0x2c8,0x2cc,0x2d8,0x2d4,0x2dc,0x14037a6b8,0x14037a6c4,0x14037a6d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3240
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffce5ebab58,0x7ffce5ebab68,0x7ffce5ebab78
    3⤵
    PID:4648
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1904,i,17815020713949943725,13894839202696842449,131072 /prefetch:2
    3⤵
    PID:1456
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1992 --field-trial-handle=1904,i,17815020713949943725,13894839202696842449,131072 /prefetch:8
    3⤵
    PID:4480
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2260 --field-trial-handle=1904,i,17815020713949943725,13894839202696842449,131072 /prefetch:8
    3⤵
    PID:1152
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3024 --field-trial-handle=1904,i,17815020713949943725,13894839202696842449,131072 /prefetch:1
    3⤵
    PID:2464
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3044 --field-trial-handle=1904,i,17815020713949943725,13894839202696842449,131072 /prefetch:1
    3⤵
    PID:2264
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4236 --field-trial-handle=1904,i,17815020713949943725,13894839202696842449,131072 /prefetch:8
    3⤵
    PID:4668
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4412 --field-trial-handle=1904,i,17815020713949943725,13894839202696842449,131072 /prefetch:8
    3⤵
    PID:4020
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:2680
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6598aae48,0x7ff6598aae58,0x7ff6598aae68
      4⤵
      PID:2632
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:1164
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x21c,0x244,0x7ff6598aae48,0x7ff6598aae58,0x7ff6598aae68
        5⤵
        
        PID:2688
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4616 --field-trial-handle=1904,i,17815020713949943725,13894839202696842449,131072 /prefetch:8
    3⤵
    PID:2364
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4964 --field-trial-handle=1904,i,17815020713949943725,13894839202696842449,131072 /prefetch:1
    3⤵
    PID:3192
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4880 --field-trial-handle=1904,i,17815020713949943725,13894839202696842449,131072 /prefetch:8
    3⤵
    PID:4292
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4840 --field-trial-handle=1904,i,17815020713949943725,13894839202696842449,131072 /prefetch:8
    3⤵
    PID:5088
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1812 --field-trial-handle=1904,i,17815020713949943725,13894839202696842449,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5996

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4192

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1380

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3020

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2216

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5028

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2856

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4716

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1948

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1616

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2908

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5184

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5232

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5304

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5520

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5528

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5692

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5748

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5796

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
PID:5836

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
PID:5884

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5984

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
PID:6048
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5744
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
7f97172b8b7a1b4bd0fa640da8c07b4c

SHA1
42c26cec06e3c7da41b0f97bf712670de6b87b79

SHA256
53c9e1b6c73e3efbce2f1a85642f057f737e69550684e2635496e99490fbee3a

SHA512
2812f620c7949a7db93eecb26a2b6ac3b512d416f70bb34c1d4fcc0db317f5f3fc2c6547cda080ddff9fb3a4ff648c2117f4a950bfd285eab79e4d5c57e8c262

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
867a9ae35cfd8ef561caa91e269bb62a

SHA1
22e657b9c00ddebfa631b55711cab607b53ba19f

SHA256
fe47f169507bb477f66013599d013c361863af9ea0887b03259bc54328687855

SHA512
90a0e5154d7a808efc7f6fe4b4bbb2d13885dacfe759ec0499b957396342f80015cae78395341251942ebc793f2276ef739a06fb21ed68e47d109331bf1db44f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
296ef84cf403aafbe8e3ee277a4a2fb2

SHA1
8d46dad2a1d3bed0bf936ceeabde8743243fe9df

SHA256
117e2117e4f3ceb7d94e86f4f5cf9a8eca11a9ca4b9f8b1002916d8b070307bc

SHA512
8a026368307dc7cae857503abcccf687b5bba0d63e7bae5a4262489826a353eadb81e3d9137725f48269f143e4d82b8c22a932d35c4cd4bc7558d550c321fb00

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
d632dbb3d76fc5b4e12acabcdb86f0ef

SHA1
9ebb04ff1c96a7bb2eba41ef1a7e1332067dbb20

SHA256
30f808ad9695ffb7bf1cb27479b5871d60a551d5571a1b3c343437f920af65f6

SHA512
0686c498a66f5ac88e1065093f3b0d1b887c9a5cc2e69b8934a9337d821bbadd1d58a1a395c921c711c5eed6469af2032c163237cda921ed52c9fa145a026e16

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\08c07acc-cb41-43c1-9930-00127eb03b3b.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
d3349a596ca7d54f25209a2acff38639

SHA1
5d390f8e582cdd9f77c8d14a827ffa6eb6b2b873

SHA256
5fcffc57984f121d4451482e528ba1bae52d163d430406b5596bd93087364578

SHA512
276f120ff58fe047beb880fc82277308d79b0ce05ad423a520a474afa7d017fb1de03ba33699135c881f292d5df1b4a78ee2da4be95f217215860aae34bf12e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d553876084cbbe97c6c34e3386806b89

SHA1
0ad771fb2c939a7c3c483e8315edd0d25da8b0a1

SHA256
ac7786b97049fca420f36fefea15f948bd653eb47e70c259da286963858fee30

SHA512
1b773bc8cf4cb2ffaada270e9f9c541f1cbc1d6ca2d2d75f8cee86b51f9f627c4dfbde4c6bf1864788e8f62b10f6196568a5772229cd68204306cdc91d7b3a85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
25b17dd3243f176469ec307256c9491f

SHA1
caa86b4da196127b6d24d70088fd89425790d7ee

SHA256
9034b5db7dac5c866de5193899ecdec4a000f4e17fe178a1d94eb91c75404b2a

SHA512
6c5f0df55c4568d65b50c0d4222d7cbdfb7af0beb5b5e44c971be960aa760d085c20e0b6118031f0d88875851183633aef495def4f3bdc370bc7ef8cb05b099c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
d8ef088e536bfd76ce5cf58e712c07b3

SHA1
4f853bb32c946a2cec76c6f38cb779656c842982

SHA256
921aa999048920d28fbf142b63c10fe739c059c3c677e887f21dd598dbb12302

SHA512
b5c29750d38bf678a8782adb29ee2bb25fe211eba1c502b42c167187f2adefee61a32a58bb2213e471b5a42e0a1637fa0d6937c4784853ddc5b39a517a6c57a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
37407f3e1e017dc11eac3602fbdb263a

SHA1
1a1d981fa293cdbbd481076f1c22cbb204c07d3f

SHA256
32dde8757700978293f3a55726d4bca92ea43e586581ffc0b08b5cc6e54ce330

SHA512
664dd1278fd3b83c726094f38f1ff6374bf8fb1d9006129788fc1fe3956599297fc6c5d053e70c6e9a52a14c123e0464000b643d99617ddb1dc0bb519c8aaa79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57e88b.TMP

Filesize
2KB

MD5
d9d040d9af2828f394e33248c287f851

SHA1
0ec5d52a2d2d65877788a0c767f67999de31e1d3

SHA256
224970cb1a0b7f374d02f0539569ca1e512e2853e9851eea2691aa49fd44a1ea

SHA512
2091a483fc4025e30b692c068bc53fc0acd68d85f384bbfd661ba896f72164b005a510ae3c25623fd5c4678652a07e9c9b7f9ea69025bb9b24472c4664b08ceb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
9a28637ee8bb8e56507ab1faeb31cb1b

SHA1
ee49dc4b35eb4864e6df6ef7467a3e30c7b63352

SHA256
cead45a30d6e3e101107d19af8d4b2a9567a1c78c4d490ca8bb685e5d0341ea3

SHA512
8b438aeb16c8523feb1ef739226096b14fb0e907718cab3e0133cdaaa4b75ca560a3ccec5100ae511c6e5b053a9e32abd06eec17cae7c17eb7edaed526e77c16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
251KB

MD5
83691c0287bba9728d10f717ccf1c077

SHA1
463c0c210143d97cb10c8ad9d313158deea62e8a

SHA256
2693216f75343a436101e7b372effa3a324fc20e8812e9bca0ac67cfe602cc5d

SHA512
62756db941814d2510c6968b7fa94bf9ef1dc51105fe752574e859f178164989e6b4d7372522b49a52937ddec059315ad14af4e104dd2761281fe4180b8926f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
a67dbd52e0242682072b231008050397

SHA1
065f1a6676b56512f013cc2c91aa64a76bbc5f7b

SHA256
bd7c090c53faff61f4559d92bcbba306ed39f9c82f0f6e929f5544976874ed07

SHA512
27717d09ba34d47b8c2a4f24b59a8ec5cb53a19e5d3731a293fdef3223375f5bd04f0c31fd5552518d618907b78c99504edc58db1fb54fa6193179bbf4bb74b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
99754c550f7290abe6624aba2b9527cd

SHA1
c39f6cceeb63cd456f19f784a49ea8b029dd8506

SHA256
0810a64a476a082326ea5ca2c33ed10653586b34a94adfe14aed813a1ef367d7

SHA512
6ba00bbb1b164ce9d6cc4bec9d1b176865b7ee67b1903b65b3d592a8d442224a51f957bbaffaf95f08c3131bf5bb1f928eca8576bb3fdfc15ed306ff0c9f2b9d

Download Submit
C:\Users\Admin\AppData\Roaming\bcfd2c111012279b.bin

Filesize
12KB

MD5
f380f84f8008ade48bb5b19e2d9c30e4

SHA1
5d8da1a07250a2738be68ff1ef1b0dbc44c2f373

SHA256
a53eec36706d597b9088c391c1ae48aec4e12ebb762ee8a2e0828e338343c796

SHA512
1bbd6eadb24f46f8fd6e867f4ab8de036bd1a8f772d8245e1815879781847f5890a14785a7292723f74a2e35504aa40d5435c8b330f958a84c50ac5f56fdccc9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
05b044c9c8c840fa8ce500124efe7659

SHA1
e758affb149ca1eb42798d13841ab5702b2797b5

SHA256
ca275838a8def0832b7c493faf8f1fac1c5bc9dc4bcc5721aa2138f09e02d067

SHA512
4125678413e77eaa6532a7e88b401f1b350d3bc65ee12224944286aa2626b68205e23ccaae24957798c33546e6bbd7d146c5949a0a6b28604c9c84c52c532c54

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4623931af6b1fb49070ea8316147cec8

SHA1
67cda210065e2d0b66aed34a6a4cd9390bb95b92

SHA256
04a60286fc084016c29fa4a71e9a0478c16bd1191cf3e3b27799a16aa04eeb42

SHA512
fb54238c0b4af5a89b8e6457038159527593b2539083e6895fed2ec414534fec1911109d4a7119a518b7a994786008bbdb617a90dcdf562a9265a871f562d68e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
3124e1941b195d52258dd268b1e66914

SHA1
3a96e10957cbcb0660d857df574d8410182da08a

SHA256
095dee55d760cc8734147ac8f92efc2a8f58dd0480724d3866b0fb8d75d2b07e

SHA512
0628fad1a2f77a5a3c2269c5c664e4e049fefd882b24762ffdc162a2d1f132c0eb6050fae9737c806edb77c927cebd4a334f56e5401f34b393013758c0eadfb1

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
635737d65d9dca61247169bcc5ecc90c

SHA1
d2c383ca6fc4640bc734812c1b7f8960916fca96

SHA256
a49a7287c2ba62be99d3ea66db191b782841a32f8ecefaca92419a4b798cdae9

SHA512
22e470fe9d917ed1758631c522a565864388c512bf2d09ac1b0cf8834f258517a8de772a1b374c749ea017e30c263de095a23415f86d5bafc9db5a54abd34cb3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
c866c40b1737c7ea1d52f7ee1959e7ad

SHA1
c0b6ab2d1f8627779648db3e0675618a594dfaf1

SHA256
86b6b96f5df71b87cab9a968521f48c0c44ef218eb56f674d8158dd2816116e7

SHA512
176e3370a9d310df580ac89b557ee5d3e1068e6bdb53906be7f44a36bd0641867efd227eb021e3e56e2a5405c24f6cb46f895b6a1b3392b128af5b6438df9e59

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
75684e66046762635b931fbeb60013e8

SHA1
384f21358459110744c855ea7ecf07114e2fe6e0

SHA256
95afa1f8451735917a0cb67ddac77c64650f6b5338780759deb9777b785a1daa

SHA512
b7b24719aa98fe670ebfdeeea203e091d4669af7988cd0c0daea7763b0f34a460df5d2899caacc53d5869bc20adca8f7736ae782358b2d878dafec58f92f0017

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
f63d2ba25b8ae2a0a6fece9b156cb1d9

SHA1
6147c3b4d0b17c8a02f268b3e6982ee40b843f03

SHA256
9c98f9869e64171ec291a767c872167cf31c49d1fb104947ec8743f36bc478d5

SHA512
d58ab8ee41eac33845314042806b0e098579ea0c7201fcc2bc6159775b1e97ea6def01fec210b66393923ea3a3f1a644eb0da0b0411c560b80578444b2a31de8

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
bdae54aed63193d9d4800b4fcb4224a8

SHA1
70244693901fbd720e69dab98cb9efc959b857c9

SHA256
f5d94889f6c2d4a2e14e39a6b42cc4d8d14c17fe039c23c84832673b716e77d2

SHA512
46e3692b158bf740a0b721a88a1b8acd647961b52704983615b96b8e5a5bd68c2dc4fdeea55be8a0bf41b9ef66f748eb0bb278f5cc8e488c266a924b886fcdc2

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
61cb01d1feeac6fa0ae7fde779390c5d

SHA1
11dfeefe748cb3975b0e15a106928c7d99dde01a

SHA256
4cc364a92e820ccab2ca49c23ea99925a979105fe93eea1a937b3c7b08db9c14

SHA512
04567545c1747d1d1b470c646af23e36e3c1dad0f43be3de7148f4a00ccb0825deafc78ae2b8c38a79807cb00d97bb5da82a67f481ce7c55d6bb9cd6bc07b8e8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d1f6aa8c87d50279b02cce55c9b14373

SHA1
99780c02f5968431fb81da715d34b06372eff345

SHA256
24aa0a76de146b38fb2e1e1190f0f350c70abe23b3300a9151c20226d89a0433

SHA512
3d1ea4fa92568d8fc4ae9cc6c629587b19c94dc0a1f94624e2a35dfe0daa77f0ef4f7277cbf5c619305426232b39b87eed31068ad2699e250e528b4fa49a52a9

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
e3d90852ecc504e7da123f7520f05068

SHA1
fe278accf9e4123c88c03433cf26ac33e8320022

SHA256
5209dca99749c4882ef61026648baddf2c16375b0734886ac0bcf9f8fa305054

SHA512
cbc33cb2a23a909863edf72f77c827fed7543d85e7dbf06de2e6fa84c9d4e20d03d517c72cfb6f6bdb425a09416de6c8b5e3fb4c09eeb77fa12fca6f37583429

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ed627d192f40b8af4882de10a5f6a7be

SHA1
1ffc901838bb3c08996069485000e1619f6203cd

SHA256
cfedeb2d7eaea8573c9e938882be5059c6fae073f33dcea452d57d7b8b53d3cc

SHA512
1df56ef9dfe413bd4d4dddd24eec3ccd6920cce58f3aed57d559bcadf2a6014985557ab3354d50075ce87ce3c12428b0a1d1b94bb7da0fc20855a86b3e8fbc45

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
25d8454b661c9a31d079dfaf5697ce89

SHA1
39223e35703f707d44bfa28432e0743b3fc61a36

SHA256
0a8f8b8487dfbeb262f6cc6b37efcd6798b71a77d346cd05cf02c9a80ed984bd

SHA512
a44bd8d96f7fff17484bd063030f88ef029ffc5f36308e2590869421f6999da5fa4970029103429070519ee3663948eb1a85b2534f5e42a78101686e21ed395e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
4262f0cf442a7517bd687b14b160b665

SHA1
1a80937260fb4f152979b54a970925aa70005bcf

SHA256
93ff2081ff0aff0ce03f69be8aab80bd88b3472615230cdf74c0dadad1b99425

SHA512
9a75be3d93d1b9a000c1ec930aec11f5b615ff241a39a1a4d8053b0a12b0470f7b605b45f2f15f1f9ee0e748d38b8efc53e6a1ba84e2828bf7da00750e41fe38

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
0507d0ba9b9f3fa0824c6302bbd1227d

SHA1
decdf2970504e1b3e06de0da926ca8631795eca0

SHA256
8e99816d8c996792b6cfd4e4b9a21a04b01333266f5b6eb11e3440787be2e5ed

SHA512
270a2e3ce7e2656fc96930af5706fbaf10cfe0bd181ffefe927642d12602cdd41ac88d9b37990799ac257670889b40366c693c4aeb7c312dbe81468d8fc6e773

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
736e8aa213f30c3dfecc284ed05b6289

SHA1
3f9d5b6943ccfff0177c2099a36f0617c293e11b

SHA256
da21784baaa94b6270f24b7c398147cebbb89e534bde27b25bd67b24dcc7d063

SHA512
93d46f8cfa09aae82cd6d44e7f1172fbf066942bfb8d712d49ad41d2aa0963c9412895c012aa7374c6484bc672797bbba517b9edb9cf1392f62b68a97ac039ca

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
eccf6f13cd426b7d7d46523bc25b43be

SHA1
75f7e3fb6f2d57de695d97a471b3bca6cdd267a9

SHA256
95133229bf5feec67273b5b74b7a5f2b4701bb56042a4001aeee0aa853b2428d

SHA512
84d71a37e333ff37c43789859a75c4c618b21f128f1c36da7318e13334db16a8a39a6ab1c88ab04b9f2e78968c128a845bd8bb51e9fb4c42dd638b27112025aa

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
78089208f9729257a300c4724ca1a8e1

SHA1
ab31a2ab5353331a6f76649c757227c03c4f298f

SHA256
662702be43131297f00d2fca0e629a1e79bc59eb172711b720a2741b10964678

SHA512
bda39411b0f0ea813133a99d29124f104f605f48aabb6d0944a941201e1717f27fa192e5a48605d1d665f1a67bd1a38ef8b2dfa47b2853f8490bcc9afb88343a

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
eff6be2d6063585c6ed4f264b5518103

SHA1
767875e9fad292043705a75fc591369bfdf27941

SHA256
882f1b0069c23022da369c2a80b580830cde172c8e43f90f35484b619afe1c90

SHA512
ddc05ea3746a6fc260820988baea3407c3374ae0f720ee7b3a3cf8e7899f040c925095d4d6f023fbca0826a889851069b1828d4b3a53f20d1a5be13111e81198

Download Submit
memory/1380-191-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1380-90-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1380-91-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1380-105-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1616-269-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1616-220-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1616-211-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1616-205-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1948-201-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1948-253-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1948-187-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1948-194-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2060-124-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2060-144-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2216-142-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/2216-136-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2216-135-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/2216-218-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2856-175-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/2856-178-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/2856-181-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2856-168-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/2856-169-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2908-223-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2908-232-0x0000000000760000-0x00000000007C7000-memory.dmp

Filesize
412KB

Download
memory/2908-276-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4352-2-0x0000000140000000-0x00000001404A4000-memory.dmp

Filesize
4.6MB

Download
memory/4352-0-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/4352-8-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/4352-25-0x0000000140000000-0x00000001404A4000-memory.dmp

Filesize
4.6MB

Download
memory/4540-556-0x000001CD5AAA0000-0x000001CD5AAB0000-memory.dmp

Filesize
64KB

Download
memory/4540-562-0x000001CD5AAA0000-0x000001CD5AAB0000-memory.dmp

Filesize
64KB

Download
memory/4540-543-0x000001CD5AA70000-0x000001CD5AA80000-memory.dmp

Filesize
64KB

Download
memory/4540-542-0x000001CD5AA60000-0x000001CD5AA70000-memory.dmp

Filesize
64KB

Download
memory/4540-547-0x000001CD5AA60000-0x000001CD5AA70000-memory.dmp

Filesize
64KB

Download
memory/4540-566-0x000001CD5AC70000-0x000001CD5AC80000-memory.dmp

Filesize
64KB

Download
memory/4540-548-0x000001CD5AA80000-0x000001CD5AA90000-memory.dmp

Filesize
64KB

Download
memory/4540-565-0x000001CD5AA60000-0x000001CD5AA70000-memory.dmp

Filesize
64KB

Download
memory/4540-555-0x000001CD5AA60000-0x000001CD5AA70000-memory.dmp

Filesize
64KB

Download
memory/4540-561-0x000001CD5AA60000-0x000001CD5AA70000-memory.dmp

Filesize
64KB

Download
memory/4716-245-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4716-183-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4868-10-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/4868-11-0x0000000140000000-0x00000001404A4000-memory.dmp

Filesize
4.6MB

Download
memory/4868-88-0x0000000140000000-0x00000001404A4000-memory.dmp

Filesize
4.6MB

Download
memory/4868-17-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/5028-148-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5028-230-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5028-164-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5028-147-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5184-236-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/5232-288-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5232-238-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5232-453-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5304-242-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5304-292-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5364-297-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5364-248-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5364-256-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/5528-261-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/5528-452-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/5528-270-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/5692-273-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/5692-470-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/5748-480-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5748-278-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5796-282-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5796-481-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5836-482-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5836-285-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5884-483-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5884-289-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5984-484-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5984-293-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/6048-485-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/6048-298-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download