7c31bb9ad27972ca2be4ec6a0a02807ab014aa91ebcfc4d1274b7d2bdf2637e8

Analysis

max time kernel
23s
max time network
25s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24-04-2024 12:30

Sharing

Reason

Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-24T12:30:58Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win10v2004-20240412-en/instance_3-dirty.qcow2\"}"

Report Analysis Logs

General

Target

2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
Size

5.5MB
MD5

8858fd20ab57416d0ae1cfe9fac5c55b
SHA1

d80cde26e40a30485ee0abe3948bf65503e2c636
SHA256

7c31bb9ad27972ca2be4ec6a0a02807ab014aa91ebcfc4d1274b7d2bdf2637e8
SHA512

cad4dc16566511d5c4e552a9165e8083a6138d744d54347b0e61e9c66f18527873a4deac00b82db6469304e8a1e4c209cdb14bebafbb07ba3c1dbce88c5c5b27
SSDEEP

49152:xEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfz:1AI5pAdVJn9tbnR1VgBVm04ujf3NuL

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 21 IoCs

pid	Process
3556	alg.exe
3748	DiagnosticsHub.StandardCollector.Service.exe
3040	fxssvc.exe
3212	elevation_service.exe
4456	maintenanceservice.exe
932	msdtc.exe
408	OSE.EXE
2092	PerceptionSimulationService.exe
1856	perfhost.exe
3612	locator.exe
1628	SensorDataService.exe
4780	snmptrap.exe
3996	spectrum.exe
868	ssh-agent.exe
5348	TieringEngineService.exe
5496	AgentService.exe
5780	vds.exe
5952	vssvc.exe
6128	wbengine.exe
5408	WmiApSrv.exe
5520	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\19d5fb0a74f8f84a.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c53a45334396da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b64512344396da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004883cf334396da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000caae79334396da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000299d47334396da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000818691334396da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f3d580334396da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091d761334396da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd48d4334396da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3216	chrome.exe
3216	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3368	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
Token: SeAuditPrivilege	3040	fxssvc.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeRestorePrivilege	5348	TieringEngineService.exe
Token: SeManageVolumePrivilege	5348	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5496	AgentService.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeBackupPrivilege	5952	vssvc.exe
Token: SeRestorePrivilege	5952	vssvc.exe
Token: SeAuditPrivilege	5952	vssvc.exe
Token: SeBackupPrivilege	6128	wbengine.exe
Token: SeRestorePrivilege	6128	wbengine.exe
Token: SeSecurityPrivilege	6128	wbengine.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: 33	5520	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5520	SearchIndexer.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe
Token: SeCreatePagefilePrivilege	3216	chrome.exe
Token: SeShutdownPrivilege	3216	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3216	chrome.exe
3216	chrome.exe
3216	chrome.exe
5732	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 4920	3368	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe	86
PID 3368 wrote to memory of 4920	3368	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe	86
PID 3368 wrote to memory of 3216	3368	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe	88
PID 3368 wrote to memory of 3216	3368	2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe	88
PID 3216 wrote to memory of 3732	3216	chrome.exe	89
PID 3216 wrote to memory of 3732	3216	chrome.exe	89
PID 3216 wrote to memory of 372	3216	chrome.exe	93
PID 3216 wrote to memory of 372	3216	chrome.exe	93
PID 3216 wrote to memory of 372	3216	chrome.exe	93
PID 3216 wrote to memory of 372	3216	chrome.exe	93
PID 3216 wrote to memory of 372	3216	chrome.exe	93
PID 3216 wrote to memory of 372	3216	chrome.exe	93
PID 3216 wrote to memory of 372	3216	chrome.exe	93
PID 3216 wrote to memory of 372	3216	chrome.exe	93
PID 3216 wrote to memory of 372	3216	chrome.exe	93
PID 3216 wrote to memory of 372	3216	chrome.exe	93
PID 3216 wrote to memory of 372	3216	chrome.exe	93
PID 3216 wrote to memory of 372	3216	chrome.exe	93
PID 3216 wrote to memory of 372	3216	chrome.exe	93
PID 3216 wrote to memory of 372	3216	chrome.exe	93
PID 3216 wrote to memory of 372	3216	chrome.exe	93
PID 3216 wrote to memory of 372	3216	chrome.exe	93
PID 3216 wrote to memory of 372	3216	chrome.exe	93
PID 3216 wrote to memory of 372	3216	chrome.exe	93
PID 3216 wrote to memory of 372	3216	chrome.exe	93
PID 3216 wrote to memory of 372	3216	chrome.exe	93
PID 3216 wrote to memory of 372	3216	chrome.exe	93
PID 3216 wrote to memory of 372	3216	chrome.exe	93
PID 3216 wrote to memory of 372	3216	chrome.exe	93
PID 3216 wrote to memory of 372	3216	chrome.exe	93
PID 3216 wrote to memory of 372	3216	chrome.exe	93
PID 3216 wrote to memory of 372	3216	chrome.exe	93
PID 3216 wrote to memory of 372	3216	chrome.exe	93
PID 3216 wrote to memory of 372	3216	chrome.exe	93
PID 3216 wrote to memory of 372	3216	chrome.exe	93
PID 3216 wrote to memory of 372	3216	chrome.exe	93
PID 3216 wrote to memory of 372	3216	chrome.exe	93
PID 3216 wrote to memory of 456	3216	chrome.exe	94
PID 3216 wrote to memory of 456	3216	chrome.exe	94
PID 3216 wrote to memory of 552	3216	chrome.exe	95
PID 3216 wrote to memory of 552	3216	chrome.exe	95
PID 3216 wrote to memory of 552	3216	chrome.exe	95
PID 3216 wrote to memory of 552	3216	chrome.exe	95
PID 3216 wrote to memory of 552	3216	chrome.exe	95
PID 3216 wrote to memory of 552	3216	chrome.exe	95
PID 3216 wrote to memory of 552	3216	chrome.exe	95
PID 3216 wrote to memory of 552	3216	chrome.exe	95
PID 3216 wrote to memory of 552	3216	chrome.exe	95
PID 3216 wrote to memory of 552	3216	chrome.exe	95
PID 3216 wrote to memory of 552	3216	chrome.exe	95
PID 3216 wrote to memory of 552	3216	chrome.exe	95
PID 3216 wrote to memory of 552	3216	chrome.exe	95
PID 3216 wrote to memory of 552	3216	chrome.exe	95
PID 3216 wrote to memory of 552	3216	chrome.exe	95
PID 3216 wrote to memory of 552	3216	chrome.exe	95
PID 3216 wrote to memory of 552	3216	chrome.exe	95
PID 3216 wrote to memory of 552	3216	chrome.exe	95
PID 3216 wrote to memory of 552	3216	chrome.exe	95
PID 3216 wrote to memory of 552	3216	chrome.exe	95
PID 3216 wrote to memory of 552	3216	chrome.exe	95
PID 3216 wrote to memory of 552	3216	chrome.exe	95
PID 3216 wrote to memory of 552	3216	chrome.exe	95
PID 3216 wrote to memory of 552	3216	chrome.exe	95
PID 3216 wrote to memory of 552	3216	chrome.exe	95

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Users\Admin\AppData\Local\Temp\2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-24_8858fd20ab57416d0ae1cfe9fac5c55b_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d0,0x2d4,0x2e0,0x2dc,0x2e4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3216
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9c266ab58,0x7ff9c266ab68,0x7ff9c266ab78
    3⤵
    PID:3732
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1928,i,11667882262600486233,4438500340326013108,131072 /prefetch:2
    3⤵
    PID:372
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1928,i,11667882262600486233,4438500340326013108,131072 /prefetch:8
    3⤵
    PID:456
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2232 --field-trial-handle=1928,i,11667882262600486233,4438500340326013108,131072 /prefetch:8
    3⤵
    PID:552
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1928,i,11667882262600486233,4438500340326013108,131072 /prefetch:1
    3⤵
    PID:1604
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1928,i,11667882262600486233,4438500340326013108,131072 /prefetch:1
    3⤵
    PID:1432
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3596 --field-trial-handle=1928,i,11667882262600486233,4438500340326013108,131072 /prefetch:1
    3⤵
    PID:4744
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4404 --field-trial-handle=1928,i,11667882262600486233,4438500340326013108,131072 /prefetch:8
    3⤵
    PID:4560
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3976 --field-trial-handle=1928,i,11667882262600486233,4438500340326013108,131072 /prefetch:8
    3⤵
    PID:3040
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 --field-trial-handle=1928,i,11667882262600486233,4438500340326013108,131072 /prefetch:8
    3⤵
    PID:1828
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4576 --field-trial-handle=1928,i,11667882262600486233,4438500340326013108,131072 /prefetch:8
    3⤵
    PID:5444
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:5548
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff60bd3ae48,0x7ff60bd3ae58,0x7ff60bd3ae68
      4⤵
      PID:5604
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5732
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff60bd3ae48,0x7ff60bd3ae58,0x7ff60bd3ae68
        5⤵
        
        PID:5764
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 --field-trial-handle=1928,i,11667882262600486233,4438500340326013108,131072 /prefetch:8
    3⤵
    PID:5648

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3556

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4024

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3996

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3212

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4456

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:932

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:408

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2092

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1856

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3612

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1628

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4780

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3996

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5168

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5348

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5496

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5780

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5952

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6128

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5408

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5520
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6064
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b7fb6ed6d937bc0d9b10ac70f02d5a9d

SHA1
a88df1c5cd3ab28bf81af06b24ac2db471f9e3ac

SHA256
b020f9d61ded292e72ff11021a68f6ad522ff4b9ceaf8e37a8fd68f7a5edbdf8

SHA512
16b6ff437a35ef667ad6f41a184a053a2b36d3ae521f29e188c6820d603d44224fb4aa0ee1012057be797ccf0527af9c4a1c4914b134cc678f6885c9f9a3a8bd

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
e7b084e0dc2dc2a6ed9afdd5642ab847

SHA1
079d594849706f6e0c60a6bdc246fdbaab07bb64

SHA256
2fd7a95035f3689e81279bff48730ba01059957469b441d3a56ed6ecd0e5dfda

SHA512
81940531a789bfb7fca4e6c4e066d92d1fa49e1831d42423df919f349194102a06270012a3a9d056ac32757b5c78bbbd7bb76907fb467e9afcbeb6461bf3d2b1

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
b7779a9c73866b3065e23eba6a98ec94

SHA1
98e366091ea41f21e1f367b72584072a55814313

SHA256
c191fc5ff1c32ee8fae905529e01c53790d2e868d88a49a4cf7cde7c7f692f79

SHA512
40f4d5f0227dd63e4e63dead00ec60815b7cfb89e2c31a342a477ee978bbfe0c2e7ba159897de474fcf8016422a581dc9a590b3d2b70834f5ab0b3735f27b92e

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\5e5e3dd7-549e-412a-87c3-3cc9e942d230.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
58bb95b4094ea52340b0fa368840c9a5

SHA1
03e801a2f4735f3f47b6822d4660e55210e56567

SHA256
65d15a1557409d3cb361251a31e7a620874bd504e12187d1260d9b80fbf6b235

SHA512
6931e70506a094e390cbcb45ae3bbca25ea54ab1937d6b5b3443890c5f436f5ee04dd587605ff1d7055f4f810d3ac690e1a42b39020e242389dddbce5f7b3deb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
ae947fdce07550a33cf048cc1f786c02

SHA1
529354cf18539826e8c50377cd4c8910223d875b

SHA256
661bbc4b4a94b645611d05db316e78dcfddd914fabd5c07283fcbb6c154be4fe

SHA512
8f6df6984ad6ef85b731f63835ce59261de5d2cdd58d049ec206606ff7114642477ed41c9fdb88e383f002c7b1b57b8b8d376270a760f7d21ae8f695b4cde096

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
782d86b0e8a6699a8654c26f169148c4

SHA1
569400884cb796fe87dfdbad6ff9e3a75295f080

SHA256
0cf1f1ed2de3ce471af23ad93294127650ce83c561b1988d652478235bb7148c

SHA512
9a9fd6016a213425d085ad89f60ec23b93fd1d29901b5efb19ac50f77bd9cfaa04d15978b47bdae54ab82ee1631337f914d2fe30aebd030ff31ee4308878fe9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
4b63d1e1770555134f88984a6cc4030c

SHA1
950dfd46f087faf107e56d88d0f7b8c3b0545b1c

SHA256
cf069782dd05d18817942a089288185399323f56f21606c8ec0ce5be4a02a2bd

SHA512
ecdda4376214f8b8fa0097c0165393c6f18949b9cbeed384e5b19092dc86096fc0a93ab3a1ae9ffd9bd3ecdf9c0f2ad89bede0c773fb7f9fc3783ea2a793484d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe576198.TMP

Filesize
2KB

MD5
8df20ad2489acd1e7f8a24fbc9a8362f

SHA1
b37b2bc2ee82f0b39ad3a80f6b15ad382bfe6c59

SHA256
6ddca1715870af630f7f8e66256978606fe92341934e897f0db7e5182bb39389

SHA512
8253fb905874f333413b730cbe021576a9ed2dabcdcc9c99400a8ee22792135052b60718defdf45190e05f3b4a70a95bab0a328a2c6d1ba9a095eee0ab4dc112

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
1ed220cf2e60cc653df6619dde6bed66

SHA1
2b0f600427075ae746420a62db45b46290f062cc

SHA256
403a4fa10be46dad002ca37753c6808d526e358e2212adbdee2f64300078e5c2

SHA512
ccb90ca711ace1f33ff3c1ec965bb19d3261a3a82d9c2e9f3677b788235df2335c919970434ac5a89bcbb9b89060837e0861ac5319c8fa7ac64affff7c2ebda6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
9f7e50036c7633e2ccc6dd66af419402

SHA1
f322f310255123428251f8011d0ed834c315f38b

SHA256
d0bab68e482658415f86c354f8d88873b993a7f94106a8ac9c3fa6e5dd367c18

SHA512
4d2fea87404cd7895ffabad8d0a4a8dad645cb950236cbc1c52e9dc4003ecb42eea4c4440e85e052b0f8a1dfa85514c848a9dc3ef328b24a05998b10a97cbc40

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
23e1cfef5bf7d8eba0bfa9fbd9c5152b

SHA1
284086b1c879a4e2422371dcfb68bb945e59db1d

SHA256
5f509381bdee057e204bcd59b0472db3372160edc5f5fbf80be6b651d1d4826f

SHA512
d61101ef6d0873d0150484e12693c56844673e081f8202ecbce9725e313e27a9dc965602660bbde05c90e79299625b78ed43805c687e9b47abcbf2248128175c

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
740c1656c168e4b3f3dd38a9ad199f03

SHA1
321d609505dde5c7719574f44aad14dacd3e8baa

SHA256
b12ed18ad963bdcbb664175f94ce926197987874d1e8f07df7cdeabda6aec0a6

SHA512
05f1cf02d6f2d570880f6797eccf5cb96a261c4e6f534deec90d5014578132d710c2a880bd708ab38f142b4c2dde0cc65193c50e33e1f77ece815bea1b960e08

Download Submit
C:\Users\Admin\AppData\Roaming\19d5fb0a74f8f84a.bin

Filesize
12KB

MD5
7a24e3fb72b0ae21d31efced4733c843

SHA1
5dc564a8c76e793404125b4646b9735df10d442d

SHA256
c85786ad59f9a6b3dc8d188356e04125c6ccf4c31eeca18d2c3c35bc1e1a2612

SHA512
eb8fef92227d7a58848e6965c529e9a8cd80aed34efef2e1c3c875fd2a615a9f35ed9211afe7d0559a28cddb1ad6bbdef587cd33cc041d90fa4b6ba6a3a6f2c3

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
b78d2a42e8287c27b1f03868e511dc94

SHA1
2d001117853214d2ef3093445577959dabd834a6

SHA256
a709507518d4d03d7be223503d606bb7e6117b6cc3f2e99cadfe44803b73ab19

SHA512
3633e9aa1c31ec25290ad21be5d4f22c20e79a6a07c7bf996ef0014aa611a5705648b6d6aef2b72027711594b8cd5ec1a775c0126b7462facacbd9f58da707c1

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
df385dad4e9e7c05269ab854e5cfa398

SHA1
002654e2d3b013a7b9b91b5db7e1309f87ab5a3b

SHA256
ad002844736d8a509ed45ec45f064e5d8aef15bde39c7c992d1d61f562a7f92b

SHA512
ac65076df3eeacb97b9f4c491f9e7c973e4469af2d06df8a7f908448d0b5a941da8774f3bf7b55e3c8fe6a5e013ba1bcee95c5c2522b08b37e2d67580802887d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
239067a34b7457c833219eb16ddf00ec

SHA1
f80cae1c7596f893b5560ee99da97e2b31ece366

SHA256
3a9751f3c3bf460492aeff397022291f078f14af919e4ac1c275f135ef29ebfc

SHA512
5c5b7f5a9b67ed791f824bfa76d3628520d94c395c5969726c561b9401e38a91eb775406e99c733f405f0fb7a931f7eb9f8bf8e21b1e5d607131b1263f61fe02

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0037af8c8128a4ffb05238454c7bfee9

SHA1
dda537ec990d47eb02c142c54f5851e77105b529

SHA256
8d17261d2bd110a8b70d3205186e6b871bfaf3101afec2843a7de3e953a58f95

SHA512
3e8c516b6d3050aeb1668c06302b4bbb8ed483b963ed09fe04cac2a2b8e875bc74cca62d2de93531dc557321c9bf1aca6a3fb95a8f25a17b4002bf83c9a683f4

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
18e392b74cb9125947e57115804386b5

SHA1
67b98967524c26f40d731239a8910936fea5f12f

SHA256
596526f04c1ea02cc9acc0edb8ee8897be832d7f4cec60ddd87a3ec67c364969

SHA512
8d5292783e676ee841b52b3abdbb0a984f87688cb71f953b6062ad07345febc6c0cb2434ebc7ff7c6e0c7ea7fb3a1d424daaf98489322653ca18ba0041e4e557

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
4b64591f9311dc717e5293f86b9266c9

SHA1
037a15a36a16e5660a9351e779475162d04319a0

SHA256
4cfe9c2f5d612b17b9964af1823d8ed94e37871fdb3baf679cc2e10eb6bac01f

SHA512
61b1a1375eb766ecf79ff415beca0b24078fc8e356755af73e5001fe854da05f6d7b63ad1d8be3e976f8fe11711ad33823865a9c8dac1d3859041c4bb7d66449

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
91635774192186d0a550a5f9dd378cb1

SHA1
2013c897453fb580e00dfb0d5f2c0bd3c638484b

SHA256
d327893afbf8e46df3ef8722c09a5731d5506d54def7b3e5af07ae90b31f9132

SHA512
ac6ca8a6d88a6f74231550fb0ec7bc5d76fbb9c6a2e36ab247e75088e6f4248f4967f4a01be0c7929fb41b80609d5fcb33dfc81f842830d8f53b8e35a40e9681

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
67cd324764215065ea65472cd215a8e6

SHA1
d0810f0be25dd4102e22872bbad893cc386819a6

SHA256
ec40d0074e38cdd7a37aaf897f8f4eb518b42e12ef89b3baa151e7490deb434a

SHA512
0fcf1476287b5d671d324a1cf0db2cf1251702e9a72a30719a1dc6d57c9b28378b7d2fda3bd9014779b7bb9ec8c4d5293bb64de91faebd4f68cd56cfdb189f13

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5e1de375cb58d64050a775758f3ce390

SHA1
b4749787bb1d815958e9be593409ddaf860127c0

SHA256
f76f2f9ab5089d07d325ecc6905087eaa018fa5e479ab48805f391f1b1fe5573

SHA512
1574c165af2c69cd5c618d864089bd7ded9147605f88615cae55525c4bde7005ff8e5e7e2deff16f04737f63fce7a3595cbef4eba140e266f840caa19a5299b8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
097f9a0e25a1af55553a7a6efcf27cb7

SHA1
e9a972d912acdc5f0ee536ee268701ba60bc2e34

SHA256
399489e6de843b0664f3e49e640466492e0b7b0a8bf1a1b2204f29bebdaebaa8

SHA512
a37c22ba6025600d6bf2a09154e854d7890bffb22e167b0c991acd56cceac84806b71ce1a43a865bde2359d818007661b33a754bc03d23e69c7a68281703ea61

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
7a65a5ddf749feb38d56a719d5a04aa6

SHA1
17bcf078c98049885adcba24a5748fe334d511cb

SHA256
2409f7c668c74266edbadeae126c45159403dcaddcc2f467f5315283a32991ab

SHA512
5e1e9bff03ca3e0a2e4f0114040a6c9513eb254c795b6e3b258431cfc6b9a417ff839589cb0cefd8018da72eaf7104dd0b16b816220d6af9b8ef17aea0af947b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8b4a5ab37a8ef8e241e7ef9fdd194503

SHA1
f881eeb0e9de6b64818dc2032113e575ff1c7d04

SHA256
cf38e87bcc6dda47ab5ddaa09d013677aa57af2d5a50d0ced74fd39f5f23ba7f

SHA512
de7f1c6ff67f6fd61f99b52a4440d18a1af254e0c937fb647baf23b696bc77a69a89274006f04562fd7c476bea7b46944aae4df8d0e4e478b520434d5ef152a7

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
9ff534ac1480e13ed4e4a69d170b2dcd

SHA1
488f277f39454eac04fbcae123c27049134f85ff

SHA256
1dafb9f948b97d1b113b870019fc69ce968bf8d2c0921a723f236e75577b2880

SHA512
a7c34449faccdbae47d9290210d2d7a535275495cd6d2b060cefcff45beb6382283553f476ac7f4dcc81cb33bf76b7287e6b0cae3cdef5cefee6a5f8cd12aae4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
c5b7f805dcb76d27387f8783657cee62

SHA1
bfded50633163468ce30da5340f8a16ec9edf2c0

SHA256
eca0527c21b5d9666f197950aa5b6ba7ab214d99c60222946d34c0f6461ee506

SHA512
c2c7ac450b6ff223e9984c3c8bbf0636a239939ea926fec1579374408a99737947af2ad59f5f2e256509688265cb4e1b050f19f9a0127393dd05ed18761619c5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
1f5a016fc5d20390d26140231e293049

SHA1
08a91c3454f7469c7bb37d3ff4635fb65ba666f3

SHA256
19f942d86ebb9b8c6a26559fcf68b212ca7e36370ddfcdcb879129481c7ec170

SHA512
84234278e6bba8cc2f1bb8a555acedd335629e0a9e18dfb5620c10058dc061b749d0877ac4cc6a54cfa62a40bba094ad2eea182c86bed3fd37dff4cfb082606b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
880bc28dbabfcbbffd3ed7dd873d8435

SHA1
61868c89ed254706cb609b7a3290b375b6acb18e

SHA256
616845329afd98de68e0e55328a302e2160cf08237df21176d3c283c63ea8341

SHA512
d50a245e0d372307e5ab0e7d94a9d10ca4e0b16c0fbc7a368fdae7d30f84681409245eeecac690ed7f5b53804bd404de46dbda8d4cec139d6f22c22b42c1c6b5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
400d83e568c3a5d7cca77ec0aaf974c0

SHA1
1358d7a4a8fc6c632950609447004671455d9105

SHA256
900e460739a88a3c37fb177339075fa52c537498377ea5a31fdbd20463972203

SHA512
85eff8716cacf4cfeba9daaca569496fee6316ea255fa013aacd51c1eedd01ec0a12a11f100ae80fbad5e2925335b7959983cbd32695f47db59dc41185efb1f4

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
998975ba2b396a95a14268eb37a44706

SHA1
e2d6627f94f6443b0020f3d6700495196615419c

SHA256
bb69b23de788e8711d3f88cf1fb2812efd41dbee349db4a1382c15f91688776b

SHA512
8a91c550d12cb22a0b04701956dade07318dc8cae370bc473800bbf3b85506dc20c1b2b719a1ee11753155feb20fe742e587d3513c16778b671a730e8e01421a

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
3b8d3a35700899dca51806a9163fd5ec

SHA1
4db812d733d8c02137d7a8deb9b824a4ab2739a0

SHA256
01a6c427ddc33ab90908295320318314e29ab1177ae2eded82911fb468c8cf69

SHA512
5967d3f4e5858e70239d44c767b51e35e938cec750eeda8c95c5eec6cf770419964e5c95a273fb7239ddea292feec74b66422fc03885e7eead77368579b10bec

Download Submit
memory/408-138-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/408-131-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/408-223-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/408-217-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/868-239-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/868-248-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/868-334-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/932-115-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/932-123-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/932-114-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/932-194-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1628-265-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1628-592-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1628-196-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1628-593-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1628-183-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1856-165-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1856-247-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2092-147-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2092-155-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2092-234-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3040-92-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/3040-95-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3040-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3040-60-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/3040-78-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/3212-164-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3212-82-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3212-85-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3212-89-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3368-29-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3368-1-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3368-7-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3368-34-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3368-0-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3556-18-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3556-106-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3556-31-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3556-20-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3612-170-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3612-253-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3612-179-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3748-51-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3748-127-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3748-50-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3748-43-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3748-44-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3996-225-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3996-235-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3996-309-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4456-96-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4456-112-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4456-110-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4456-99-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4456-104-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4780-288-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4780-220-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4780-201-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4920-12-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4920-11-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/4920-98-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4920-22-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/5348-262-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/5348-348-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5348-256-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5408-350-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5408-357-0x00000000005F0000-0x0000000000650000-memory.dmp

Filesize
384KB

Download
memory/5496-285-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/5496-284-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5496-276-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/5496-267-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5520-361-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5520-368-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/5780-561-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5780-300-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/5780-292-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5952-331-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/5952-310-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5952-599-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/6128-344-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/6128-336-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads