56acd0b3078ea1bf520d3eafc9a51a53d0bc01429649dbf723115ca9785ca1ec

Analysis

max time kernel
7s
max time network
25s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 11:22

Sharing

Reason

Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-20T11:23:16Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win10v2004-20240412-en/instance_14-dirty.qcow2\"}"

Report Analysis Logs

General

Target

2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
Size

3.2MB
MD5

93fd029b34d01f7e6497fc1dfd51065e
SHA1

1435172d10a930d552d34e25fd305e3669285d35
SHA256

56acd0b3078ea1bf520d3eafc9a51a53d0bc01429649dbf723115ca9785ca1ec
SHA512

52de4f2c6d20d773e6cbde523c6f5dd4d9f92c1bdfe789e4870c9f56d4aa9a686378cb026cc215be47d555188ab985d195e0145740c7edbf4bb8ff22facb07ac
SSDEEP

49152:x5k1YCdptya507NUUWn043oHS3fTIYwVq1/xT3DDbw0TUqyjkQ/qoLEw:BNhSMYw8ynqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1184	alg.exe
4428	DiagnosticsHub.StandardCollector.Service.exe
2704	fxssvc.exe
540	elevation_service.exe
3484	elevation_service.exe
4456	maintenanceservice.exe
348	msdtc.exe
4088	OSE.EXE
908	PerceptionSimulationService.exe
3232	perfhost.exe
3624	locator.exe
1016	SensorDataService.exe
2668	snmptrap.exe
3240	spectrum.exe
5228	ssh-agent.exe
5484	TieringEngineService.exe
5600	AgentService.exe
5900	vds.exe
6044	vssvc.exe
5404	wbengine.exe
5648	WmiApSrv.exe
5628	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6c4bac892b574d51.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133580857754051848"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2968	chrome.exe
2968	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3092	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
Token: SeAuditPrivilege	2704	fxssvc.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeRestorePrivilege	5484	TieringEngineService.exe
Token: SeManageVolumePrivilege	5484	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5600	AgentService.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeBackupPrivilege	6044	vssvc.exe
Token: SeRestorePrivilege	6044	vssvc.exe
Token: SeAuditPrivilege	6044	vssvc.exe
Token: SeBackupPrivilege	5404	wbengine.exe
Token: SeRestorePrivilege	5404	wbengine.exe
Token: SeSecurityPrivilege	5404	wbengine.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
5756	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3092 wrote to memory of 4944	3092	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe	90
PID 3092 wrote to memory of 4944	3092	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe	90
PID 3092 wrote to memory of 2968	3092	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe	92
PID 3092 wrote to memory of 2968	3092	2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe	92
PID 2968 wrote to memory of 1928	2968	chrome.exe	93
PID 2968 wrote to memory of 1928	2968	chrome.exe	93
PID 2968 wrote to memory of 2556	2968	chrome.exe	97
PID 2968 wrote to memory of 2556	2968	chrome.exe	97
PID 2968 wrote to memory of 2556	2968	chrome.exe	97
PID 2968 wrote to memory of 2556	2968	chrome.exe	97
PID 2968 wrote to memory of 2556	2968	chrome.exe	97
PID 2968 wrote to memory of 2556	2968	chrome.exe	97
PID 2968 wrote to memory of 2556	2968	chrome.exe	97
PID 2968 wrote to memory of 2556	2968	chrome.exe	97
PID 2968 wrote to memory of 2556	2968	chrome.exe	97
PID 2968 wrote to memory of 2556	2968	chrome.exe	97
PID 2968 wrote to memory of 2556	2968	chrome.exe	97
PID 2968 wrote to memory of 2556	2968	chrome.exe	97
PID 2968 wrote to memory of 2556	2968	chrome.exe	97
PID 2968 wrote to memory of 2556	2968	chrome.exe	97
PID 2968 wrote to memory of 2556	2968	chrome.exe	97
PID 2968 wrote to memory of 2556	2968	chrome.exe	97
PID 2968 wrote to memory of 2556	2968	chrome.exe	97
PID 2968 wrote to memory of 2556	2968	chrome.exe	97
PID 2968 wrote to memory of 2556	2968	chrome.exe	97
PID 2968 wrote to memory of 2556	2968	chrome.exe	97
PID 2968 wrote to memory of 2556	2968	chrome.exe	97
PID 2968 wrote to memory of 2556	2968	chrome.exe	97
PID 2968 wrote to memory of 2556	2968	chrome.exe	97
PID 2968 wrote to memory of 2556	2968	chrome.exe	97
PID 2968 wrote to memory of 2556	2968	chrome.exe	97
PID 2968 wrote to memory of 2556	2968	chrome.exe	97
PID 2968 wrote to memory of 2556	2968	chrome.exe	97
PID 2968 wrote to memory of 2556	2968	chrome.exe	97
PID 2968 wrote to memory of 2556	2968	chrome.exe	97
PID 2968 wrote to memory of 2556	2968	chrome.exe	97
PID 2968 wrote to memory of 2556	2968	chrome.exe	97
PID 2968 wrote to memory of 4824	2968	chrome.exe	98
PID 2968 wrote to memory of 4824	2968	chrome.exe	98
PID 2968 wrote to memory of 552	2968	chrome.exe	100
PID 2968 wrote to memory of 552	2968	chrome.exe	100
PID 2968 wrote to memory of 552	2968	chrome.exe	100
PID 2968 wrote to memory of 552	2968	chrome.exe	100
PID 2968 wrote to memory of 552	2968	chrome.exe	100
PID 2968 wrote to memory of 552	2968	chrome.exe	100
PID 2968 wrote to memory of 552	2968	chrome.exe	100
PID 2968 wrote to memory of 552	2968	chrome.exe	100
PID 2968 wrote to memory of 552	2968	chrome.exe	100
PID 2968 wrote to memory of 552	2968	chrome.exe	100
PID 2968 wrote to memory of 552	2968	chrome.exe	100
PID 2968 wrote to memory of 552	2968	chrome.exe	100
PID 2968 wrote to memory of 552	2968	chrome.exe	100
PID 2968 wrote to memory of 552	2968	chrome.exe	100
PID 2968 wrote to memory of 552	2968	chrome.exe	100
PID 2968 wrote to memory of 552	2968	chrome.exe	100
PID 2968 wrote to memory of 552	2968	chrome.exe	100
PID 2968 wrote to memory of 552	2968	chrome.exe	100
PID 2968 wrote to memory of 552	2968	chrome.exe	100
PID 2968 wrote to memory of 552	2968	chrome.exe	100
PID 2968 wrote to memory of 552	2968	chrome.exe	100
PID 2968 wrote to memory of 552	2968	chrome.exe	100
PID 2968 wrote to memory of 552	2968	chrome.exe	100
PID 2968 wrote to memory of 552	2968	chrome.exe	100
PID 2968 wrote to memory of 552	2968	chrome.exe	100

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3092
- C:\Users\Admin\AppData\Local\Temp\2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-20_93fd029b34d01f7e6497fc1dfd51065e_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=92.0.4515.131 --initial-client-data=0x2c4,0x2c8,0x2d4,0x2d0,0x2d8,0x140221ee0,0x140221ef0,0x140221f00
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa5e45ab58,0x7ffa5e45ab68,0x7ffa5e45ab78
    3⤵
    PID:1928
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1832,i,7565309709250251350,5279762439710428418,131072 /prefetch:2
    3⤵
    PID:2556
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1832,i,7565309709250251350,5279762439710428418,131072 /prefetch:8
    3⤵
    PID:4824
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1832,i,7565309709250251350,5279762439710428418,131072 /prefetch:8
    3⤵
    PID:552
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=1832,i,7565309709250251350,5279762439710428418,131072 /prefetch:1
    3⤵
    PID:3588
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3036 --field-trial-handle=1832,i,7565309709250251350,5279762439710428418,131072 /prefetch:1
    3⤵
    PID:3308
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4320 --field-trial-handle=1832,i,7565309709250251350,5279762439710428418,131072 /prefetch:1
    3⤵
    PID:116
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3596 --field-trial-handle=1832,i,7565309709250251350,5279762439710428418,131072 /prefetch:8
    3⤵
    PID:2884
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4660 --field-trial-handle=1832,i,7565309709250251350,5279762439710428418,131072 /prefetch:8
    3⤵
    PID:4744
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4808 --field-trial-handle=1832,i,7565309709250251350,5279762439710428418,131072 /prefetch:8
    3⤵
    PID:3220
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4656 --field-trial-handle=1832,i,7565309709250251350,5279762439710428418,131072 /prefetch:8
    3⤵
    PID:632
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 --field-trial-handle=1832,i,7565309709250251350,5279762439710428418,131072 /prefetch:8
    3⤵
    PID:5188
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:5608
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6c6fcae48,0x7ff6c6fcae58,0x7ff6c6fcae68
      4⤵
      PID:5664
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5756
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6c6fcae48,0x7ff6c6fcae58,0x7ff6c6fcae68
        5⤵
        
        PID:5792
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 --field-trial-handle=1832,i,7565309709250251350,5279762439710428418,131072 /prefetch:8
    3⤵
    PID:5700
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4084 --field-trial-handle=1832,i,7565309709250251350,5279762439710428418,131072 /prefetch:8
    3⤵
    PID:6116

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1184

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3852

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:540

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3484

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4456

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:348

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4088

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:908

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3232

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3624

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1016

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2668

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3240

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5284

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5484

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5600

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5900

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6044

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5404

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5648

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
PID:5628
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:5260
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  PID:5944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:6116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
2513f6322a1a115757d94c7d25284295

SHA1
ca855dc057fa587a47a0c22263007dddbf106a36

SHA256
aa016ca7a737a292c4292508bbe38fca994b36f6410591ebed762ac28281bf2c

SHA512
8b54a03d5c9c8c0e3ba333d3c06e268a52ba041952bd3cbb124b5cb079316c826d7e45e9b6d6ba1bbcf0664f044976be5d604bbce4109b199997996cb350b598

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
73346f5aa9c76f5811c71674595e1f86

SHA1
1919c99a166e29d958649098699aad0c54f28551

SHA256
07c2460c21744480516e2c2f6aafcb0fd240a84357cff0b22a37cac85601fc0b

SHA512
8ecc7dbf3281451a81d875a8c2ecd24989fac2e5f78bc59571ccfea2e8fd73758757d24387318f6e159c5e784464e1e7485dde7cc768df38377b309f987198ef

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
92afd319f8d1e37e59d288c1b28d43f3

SHA1
630cb15f99cf63dd082ef5c2b853943a9706edd7

SHA256
398c535b8b19fc14674a90802cb0335a2d4d3ed2806da4f12794551d9a38ddef

SHA512
d496c58fed443fa63ae92214b20d3c6c42c7a629ff7d887742cb04a4e9252208d56ed9d2efc0ddf8ccbfc2779339b20591e8bf55ee9aede27cf11068900dd2f1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
47cf7ec47213c6e56513db200a816d3b

SHA1
0dd085f64329bf6c4f434f02ec38bac584ac409a

SHA256
36da0c6d8f6987d6823c1c55a4ac56e62c1e6731d039556eec39afab56d62720

SHA512
b3eb820285f70b916345bbe5eced696eb286997a31957edfefccaa8771a06fe96977c6fdd3f2be5cd164f26672171aad083b4de85669542e84c58cc0f4b80879

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\a77fe8ce-c364-4439-a724-9ffe2958bb3d.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
450092d409ea8bde7e3ca1247fc0de4a

SHA1
f021476a1ce1a12f956b79635e5d5f36c2d2a4b9

SHA256
ca89da096c19ce02a68a898f6107765e7e4f005843d72d8447098c38d18e73a7

SHA512
d8d879b863ed265eded8c2af06151f3685c2345c17c568c119adc3e435be020232c731930083d3bc1f93ef1efb65670b70dc0e8c5fcc507aa972d45f016d388e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
381b57598025414b0a540823b6d37d76

SHA1
498a2636f9dcd4db1076e2ca7efedc831ec9564c

SHA256
68785685e433ddbe09ad0f8d01d929290c49962e2d8cf763ca0e67ce2103ddee

SHA512
ec1ea105d87140e9aa144a86a98aab48ad885c2dbdff43fa7661f4aafc24fef3d0208b4a2d2753219194943a1cc9cd7828e59d9015b9fb7aaa1e36249aaa3f48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
789a278a4aa19dad30b57cf7df8636ef

SHA1
618b7a0392bce10be5f3803378a9df181254f6ae

SHA256
bc3b97d39575084ddc89827666d9ed75d834198162868b47700d584e901abe83

SHA512
b0dbcfdc7340aed1bfec0878accb24fcba64e2328c196b611de54decdd96edf8f6af8a8c545d42494361ae2971dead02feed4d717847325adce59c5a0bdae749

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe585280.TMP

Filesize
2KB

MD5
fab391fe9ab5e7d3bc5f362ff6abcd2a

SHA1
584ee1c2d71c3ef2b40290b8c4cf056a0d3c975f

SHA256
73d64236fe1335c0f3c014e6d2ae8f6e5d0ec10cf332528652ef1775abc7b09b

SHA512
4724c8527fe6f96fe0d2211c958b58603cf64a0275e152c82716ede335044ddf0f5ac54ea5743bfcae11a751e69f8381b32586f9622e4f5572386a2efa765320

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
4e18de2cf09f272383e571b5a44357b1

SHA1
5d75f26ed058a31c52345e45612294566d3515c3

SHA256
4f3d1b3773de75a62d42899598988567e134459722d28c3a32ac0703a31ab3fe

SHA512
947cd5ce42de057fe27ff755ea762f022d6f512b0c266647d6d3a95e23e5f60d1e205777cb7a703cff80582caede45bdae9f27d353afb2a151ad8d6fc0ee45b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
254KB

MD5
4bf5770a60f108101e97b65dd7a58ada

SHA1
f9c8cdb0653c459579584c02d4e306fc0bc3ada2

SHA256
77c8c585a27e7a6e967baa10e25b34190831ac906e6a66c8f285326657cafab0

SHA512
4ad28e7a9cbdf095704efe6eeed9fe5edb351b4776851a345e8700567144353a21cb97d16a5eea2261f5cbc0b94785a777b07794ba03e195dbb84b216149031a

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
462ccd4729d49054b832ad1eb2369a86

SHA1
53fe56ef826d553a36c7d4342677d0a8ce076b6c

SHA256
edccfa8ca3c1acc233cb373232cff90fceb70118791a60f191da838d57b35555

SHA512
841e29dc991abceebccd5a9f80d8f11247cb95d5a67c06b78ff7be8cb103770df1634c788b728442f89fb1e4fa51549b0adc8902c7b72fe362e54eb428fbfd85

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
d831ded890f679931471149da97da812

SHA1
2a13ffb5e481b856e1bba81ee79d1fc14e381097

SHA256
41ede32886b65705b20624457fd61b7482ee660d10ae353bcc0836a103702909

SHA512
5d77b0c2ed4e58c6f5d8efa82ea4e6676a19f44852491cefc2c920459a9c4c2ebc783cf46a159a7fcb063d79705b0e873fbea03acab54a1b3e351ff923d24e59

Download Submit
C:\Users\Admin\AppData\Roaming\6c4bac892b574d51.bin

Filesize
12KB

MD5
b24c7abc4251781b0010df99977fab05

SHA1
fdb065bce2c731b7dc7181f7a28c3d7c43769624

SHA256
647e997ef6e4576193a72d83cbb0c2106c14484ee6039f7565b3b5af269613a1

SHA512
cbd9a11c64fb0ff8c30543a8505879b7f763c6efb258ff20e3edfe03845d59d63b0b739f45add9f088e1100f301ac81ff6a0fb6e0b01fde522c21adee394bd0b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
1343737308bdb1cd58eea92edefd9ae7

SHA1
85432c24302fdc052830af57b05cb72d9bfd482c

SHA256
520280aa167c0aff938dd24551a3f9959fff04ca3cfdebea20c8681db58fb1d9

SHA512
860b0547bddf5d96fea19305b0f3b0c0887bf30962c2403a33d721632d343c9d9ca0c36b3ddfa8608ff3feaea85cfa85cffabcaaf3738114f28180dc63e5e8ea

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a9e431fa6e798266d06ad0cd9e1d5209

SHA1
8bf439f2b92adbc5ebf332b61b7933610fa6ef16

SHA256
4eafbfe4c29e2f9a5c591ca950b3c330a19075fcb7eff951fffc27d3cb6372ff

SHA512
d10e2f173e79e986460dae97913cf79644961b437be620f397a0c4a617f75b34e36af42aa8481383ca4e9f7abf7a88e622f9d4c13560e2ff53c079077eaa9343

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
21e90e3213eaa87117c156e86057d02d

SHA1
9ba48c0c59b28ebf7ddc928ad866db0403fdf82d

SHA256
bee7b49e3da4d05cb25b52b55f5700464bd9be3e7788610972893b1079f30172

SHA512
c551eee9e27c049ca509afa42ba7544cec72834c06e9adcc6583339b6be5237c0cc618171df626aed2b5c2c0d15348affcab6da0dbf191ea8cc79d1d96569bb5

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d710d9371c3978aeb01e276373292acc

SHA1
99ef902e29955b720998c9fe2278790840d06595

SHA256
da49afe91b2a2c0cebc20e463def6d9a167361b49edab6a35348bcf191fc8116

SHA512
eda93079f282b36d33b9ad90bd5d0f43f28c36556e7eae89e5d99631e92aac1d548b4998a895b2dc7d06c51475a2f032d04f7060e954e3eea92f61369f3133b6

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
76aa75121de5bf3a2558c1171f505e3d

SHA1
927a6c9799b92217c4a70d1c439d92bb3584f382

SHA256
7355dfba98ec20f4b0912dac0e7102b01befbe9be8d29e7ebe12c0ca2d649653

SHA512
935a3bf914061f7019dc9dc3484a2ce25304f3bed442e43dc69651176e80252f1e539316dc6fe0937e7af4bfdb8ccd0ae623fff88d7cdc916d43f695ef32f226

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
b1d7621d68573ac078c99c7357bebf83

SHA1
fe65ddb8649b93f3da63e91a20cb1fe7b34e7bbf

SHA256
d4ab7cc6d27253c97680d60d966f0e1e931f2945e5839eccf3f0e7a0eb2fd420

SHA512
e92cff456ab220b25db437322743a351dff7f9d282b21af831834d85a3561ea7841ac7462b3d4b670e66debecc40ecb963304a987d7320c62a7111451661acb3

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
100cd7b6faceb29d6db34c51bd9ce79d

SHA1
29c6e533b1ba6effe06adfc467ee8c2d77de6e83

SHA256
c03a3022819e1463d54c51994f7d3a128f86a675687dfd29341cd1ce55ed5d96

SHA512
0f31913b9c342c8f86358bfc686d23fb1b3dd400e573f8a87f1813825640cd195488b45d3f88e188bf42094ed6a5cd09037100ef444980719ba0c2be0d8c0809

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
ea261311ad296bb28eeeff35d372f563

SHA1
288bf7e1038b2b7db245de983b404a2633ac3c31

SHA256
f734ced282d2e9c41559569be614d9818da0273576fa34cb29ab73efff28735a

SHA512
20040b626eafaaefd7907c1c0393226b4b0ddc27c4ce56c92f0cd994036814d23705b2d935949bf8321469dbfc448ba65316310969c3f0d2beec6528edd623b1

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
72b49239b17ce8ca8fdf67544d802844

SHA1
09be5ec83494c1c4541e81a40a2f37c2bb2b41b2

SHA256
695865a43d752caa2d8b7618b9737c03c2f71f09df88be5335244daac5d019a4

SHA512
72d5829b6ae85b87a95cc565df9fe36b7b6b6763e8f88e02e8beb98ee5ba4882e76d32ba9996cd906887ddfac1ea08fe2e5638985714d60a31184b4186698d23

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
062e865bc9056b10ba9d18ef3d5c62b1

SHA1
61088913bdadbb747cbccd1a2375bfed78beb542

SHA256
7146c1f046efd68cef684f58728f3dc18a389d16bc85d4ab3645592925d35c19

SHA512
01bffbc39afdf6e4741cbf074b2bf0e5c82fd6733efe4274f43786ef9337d7cdfbe36a9f6bf570d271250751ba36cdad10f9b704a12effe30a39dac54aa5fe0b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
a9e4621221987d0f355c138985f12b71

SHA1
4dc01d4ea02916461a8061f11c73e7b5811a55a9

SHA256
9ca390ca8a5bf19a80ee4466b53d7c5fc9e7e49017c6df5ed26cb0a6f2f0b0a7

SHA512
b2dadf41143544d9952c585960f8d92f40917cf217e4188560061e9a20af01d3d99e64c6500ae268fc07502ef22a0b96ec1e24aca8c1195d00b84df695a04b6d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7e3b50298a41286a33ca426017c38c07

SHA1
63d629e5f3a47a3cf868c09caae5f5e301845c66

SHA256
e039f84ab37e9b5f5926fdd72a64696e6c4e46b5d0516ee5c2dcef6c746949e3

SHA512
728a845237216fb57be245022aa93f8cb9fc887f8cf1ab841903d7dfdc16ff5cd3f1b587f9021a4fd52fc0ccf080c1112c3e18c487a896ba16d8a937859661a1

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
8aff7ff0a9835c2fcad109a3636f0fbf

SHA1
51255809beedfb0f020d7bd166c503c24a1a780e

SHA256
32dbc1528a35dd14624a3698d368e8f4c4052b1b9a7d83b6dcee62c12b59d2d8

SHA512
d9b4554a05b068ed030e25abb54300abf4aed98b585df581ee13fa2bc278642a7191b9e9d477904878a541d77d7a70e3dfdb8c1a0e9ae72c9bf9e1bdeb3e577d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
d62d0f3e13258958ee8ca6477251f628

SHA1
eceb0a45c70194068d3fd71f304cf07dd4cbee7f

SHA256
0f83d6b3397f28519d483a2d89f5a54f30813650114790de6dfb9a8e97a6f141

SHA512
b3b32cc4d3e5f51935673b06b2bd274d06e64a340016824225bec93b843cc17918f7e983c269440b335cb96132f2a3c888bc24295bf628dd7eb5c16f9b8b5258

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
584d8e1f7f738dbdb646261885128182

SHA1
0c84cf734dfcbe43d4426733edc638772d1a4993

SHA256
c7e0aebc59e065ede754cfa9e3f37bb38d2ef4dc466ecb3cf9e936ffc72762d0

SHA512
434bb1928de095a4aa496b8931f26fde28d4a39f97a51bfc663a510e84bc757a3a3b2376c568377b36464fe05703a5bb72441ce3608e49d58148cb8daae4d8f1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f9ce43e86bbf1b7e78bc09d78189d522

SHA1
04f76c6f3e7c0a829d8451cbc51b695268e6a3ce

SHA256
30137764b5348018cd54849dab277366d8a912c2ecbccadc97d4e6ac070f3c5a

SHA512
6a5df8e056db824b08d46bb4f2817f21387b1e91a1e60c3b04ce5e6772ac934e1bb15505b8d4e1a7ebf0303484382f86df4e54d8478a963c78da13982e2dfb48

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
9e16e957610e847eb1c174a846eb7631

SHA1
f4977c5a74ae066656efa7869eea89341aab245a

SHA256
03d5c6c8f933d9c44b20ec13c63e8478cb076a44077f6e58ce71a6e0c1f65ca8

SHA512
858ae500fa3217b9c7dbdb46badf6a70a5e1a641339662f5e92fad98797d41477df0b4202f61e6703943b3fa38c1b3ab9c3d2b10622753ef32f76988e171025b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c77a60c91fe87c1312dabbeb3d22ff83

SHA1
c7cb796a3f555737f8175cc37b99b8efe4c4689b

SHA256
36e4fd7603bd04c7a4566065aabf0cc7c0295716d48e30d966840ccaf35d484a

SHA512
b0cac979aa3db87e878f28ec5f8b398ba49a8484c05aa5181565bd9b1fa567370f6e00046d1f4041d31506155f51f80d0847810ef6fd5ac2186d744cc0fa70f4

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
f79d80f479a3822205d135addb5c7dc4

SHA1
869ae6a371ee61966612a9d16226c01c27337a34

SHA256
28348d897405da1d594f8a5a03ce4feca8c35d4fc01d55667e9de19d8563f1fa

SHA512
dd368d36b8ef9ccf4aff8022e2130dae0be94c8c5756103708315de5629d67aae0f88e09678c555d253a91fc2dddf4e5a7edc720b94a264bcf92158807db982f

Download Submit
memory/348-236-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/348-157-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/348-152-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/540-97-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/540-115-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/540-89-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/540-90-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/540-112-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/908-177-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/908-263-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/908-186-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1016-247-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/1016-304-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1016-238-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1184-33-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1184-21-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1184-17-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1184-108-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2668-327-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2668-251-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2668-260-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/2704-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2704-66-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/2704-103-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2704-58-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/2704-101-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/3092-7-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/3092-1-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/3092-30-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/3092-0-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/3092-38-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/3232-221-0x0000000000820000-0x0000000000886000-memory.dmp

Filesize
408KB

Download
memory/3232-197-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3232-279-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3240-265-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3240-273-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/3240-356-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3484-122-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3484-196-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3484-110-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3484-105-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3624-291-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3624-232-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3624-225-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4088-165-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4088-174-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4088-250-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4428-150-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4428-53-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4428-43-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4428-44-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4456-127-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4456-140-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/4456-145-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4456-146-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/4456-126-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/4944-24-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4944-106-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/4944-11-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4944-12-0x0000000140000000-0x000000014033D000-memory.dmp

Filesize
3.2MB

Download
memory/5228-281-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/5228-287-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/5228-369-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/5404-379-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/5404-373-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5484-301-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/5484-385-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5484-294-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5600-323-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5600-316-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/5600-306-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5600-324-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/5648-387-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/5900-330-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5900-340-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/6044-365-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/6044-357-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads