641115b3047da055bf6aa4c5306c01d9ea3694e41ea5a1010a19c51b3a47915e

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
Size

5.5MB
MD5

2eeab99a611f5495f89f69d2eddebce1
SHA1

553ce3052a6a467963cdd24d96e407149fff214d
SHA256

641115b3047da055bf6aa4c5306c01d9ea3694e41ea5a1010a19c51b3a47915e
SHA512

ad007cfd26164b121b7f81fb7dfc4433422c575e4ccf301a880fb8bdaa7edcf13ed7448e266ca93b54bd5daa58058d06786a1dcba6248439ee031e0aab4d41a9
SSDEEP

98304:lAI5pAdVJn9tbnR1VgBVmBNEex+u5Ck9:lAsCh7XYONX+uf

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
1404	alg.exe
2476	DiagnosticsHub.StandardCollector.Service.exe
1688	fxssvc.exe
3040	elevation_service.exe
4716	elevation_service.exe
3840	maintenanceservice.exe
1520	msdtc.exe
1756	OSE.EXE
1772	PerceptionSimulationService.exe
2444	perfhost.exe
1428	locator.exe
4032	SensorDataService.exe
3620	snmptrap.exe
3296	spectrum.exe
2220	ssh-agent.exe
3576	TieringEngineService.exe
4732	AgentService.exe
2116	vds.exe
4052	vssvc.exe
3964	wbengine.exe
4984	WmiApSrv.exe
5296	SearchIndexer.exe
5836	chrmstp.exe
5908	chrmstp.exe
6028	chrmstp.exe
6100	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d3f4355c293b476c.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133613887882813476"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000072182f911fb1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000184117911fb1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe643d911fb1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e5592921fb1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020025a911fb1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000084154e911fb1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4608	chrome.exe
4608	chrome.exe
6124	chrome.exe
6124	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	928	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
Token: SeTakeOwnershipPrivilege	1440	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
Token: SeAuditPrivilege	1688	fxssvc.exe
Token: SeRestorePrivilege	3576	TieringEngineService.exe
Token: SeManageVolumePrivilege	3576	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4732	AgentService.exe
Token: SeBackupPrivilege	4052	vssvc.exe
Token: SeRestorePrivilege	4052	vssvc.exe
Token: SeAuditPrivilege	4052	vssvc.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeBackupPrivilege	3964	wbengine.exe
Token: SeRestorePrivilege	3964	wbengine.exe
Token: SeSecurityPrivilege	3964	wbengine.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: 33	5296	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5296	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5296	SearchIndexer.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
6028	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 928 wrote to memory of 1440	928	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe	83
PID 928 wrote to memory of 1440	928	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe	83
PID 928 wrote to memory of 4608	928	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe	84
PID 928 wrote to memory of 4608	928	2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe	84
PID 4608 wrote to memory of 2496	4608	chrome.exe	85
PID 4608 wrote to memory of 2496	4608	chrome.exe	85
PID 4608 wrote to memory of 2564	4608	chrome.exe	101
PID 4608 wrote to memory of 2564	4608	chrome.exe	101
PID 4608 wrote to memory of 2564	4608	chrome.exe	101
PID 4608 wrote to memory of 2564	4608	chrome.exe	101
PID 4608 wrote to memory of 2564	4608	chrome.exe	101
PID 4608 wrote to memory of 2564	4608	chrome.exe	101
PID 4608 wrote to memory of 2564	4608	chrome.exe	101
PID 4608 wrote to memory of 2564	4608	chrome.exe	101
PID 4608 wrote to memory of 2564	4608	chrome.exe	101
PID 4608 wrote to memory of 2564	4608	chrome.exe	101
PID 4608 wrote to memory of 2564	4608	chrome.exe	101
PID 4608 wrote to memory of 2564	4608	chrome.exe	101
PID 4608 wrote to memory of 2564	4608	chrome.exe	101
PID 4608 wrote to memory of 2564	4608	chrome.exe	101
PID 4608 wrote to memory of 2564	4608	chrome.exe	101
PID 4608 wrote to memory of 2564	4608	chrome.exe	101
PID 4608 wrote to memory of 2564	4608	chrome.exe	101
PID 4608 wrote to memory of 2564	4608	chrome.exe	101
PID 4608 wrote to memory of 2564	4608	chrome.exe	101
PID 4608 wrote to memory of 2564	4608	chrome.exe	101
PID 4608 wrote to memory of 2564	4608	chrome.exe	101
PID 4608 wrote to memory of 2564	4608	chrome.exe	101
PID 4608 wrote to memory of 2564	4608	chrome.exe	101
PID 4608 wrote to memory of 2564	4608	chrome.exe	101
PID 4608 wrote to memory of 2564	4608	chrome.exe	101
PID 4608 wrote to memory of 2564	4608	chrome.exe	101
PID 4608 wrote to memory of 2564	4608	chrome.exe	101
PID 4608 wrote to memory of 2564	4608	chrome.exe	101
PID 4608 wrote to memory of 2564	4608	chrome.exe	101
PID 4608 wrote to memory of 2564	4608	chrome.exe	101
PID 4608 wrote to memory of 2564	4608	chrome.exe	101
PID 4608 wrote to memory of 4588	4608	chrome.exe	102
PID 4608 wrote to memory of 4588	4608	chrome.exe	102
PID 4608 wrote to memory of 3276	4608	chrome.exe	103
PID 4608 wrote to memory of 3276	4608	chrome.exe	103
PID 4608 wrote to memory of 3276	4608	chrome.exe	103
PID 4608 wrote to memory of 3276	4608	chrome.exe	103
PID 4608 wrote to memory of 3276	4608	chrome.exe	103
PID 4608 wrote to memory of 3276	4608	chrome.exe	103
PID 4608 wrote to memory of 3276	4608	chrome.exe	103
PID 4608 wrote to memory of 3276	4608	chrome.exe	103
PID 4608 wrote to memory of 3276	4608	chrome.exe	103
PID 4608 wrote to memory of 3276	4608	chrome.exe	103
PID 4608 wrote to memory of 3276	4608	chrome.exe	103
PID 4608 wrote to memory of 3276	4608	chrome.exe	103
PID 4608 wrote to memory of 3276	4608	chrome.exe	103
PID 4608 wrote to memory of 3276	4608	chrome.exe	103
PID 4608 wrote to memory of 3276	4608	chrome.exe	103
PID 4608 wrote to memory of 3276	4608	chrome.exe	103
PID 4608 wrote to memory of 3276	4608	chrome.exe	103
PID 4608 wrote to memory of 3276	4608	chrome.exe	103
PID 4608 wrote to memory of 3276	4608	chrome.exe	103
PID 4608 wrote to memory of 3276	4608	chrome.exe	103
PID 4608 wrote to memory of 3276	4608	chrome.exe	103
PID 4608 wrote to memory of 3276	4608	chrome.exe	103
PID 4608 wrote to memory of 3276	4608	chrome.exe	103
PID 4608 wrote to memory of 3276	4608	chrome.exe	103
PID 4608 wrote to memory of 3276	4608	chrome.exe	103

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:928
- C:\Users\Admin\AppData\Local\Temp\2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-05-28_2eeab99a611f5495f89f69d2eddebce1_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff825a5ab58,0x7ff825a5ab68,0x7ff825a5ab78
    3⤵
    PID:2496
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1912,i,17737063613067988559,1942488658621500044,131072 /prefetch:2
    3⤵
    PID:2564
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1912,i,17737063613067988559,1942488658621500044,131072 /prefetch:8
    3⤵
    PID:4588
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2160 --field-trial-handle=1912,i,17737063613067988559,1942488658621500044,131072 /prefetch:8
    3⤵
    PID:3276
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2644 --field-trial-handle=1912,i,17737063613067988559,1942488658621500044,131072 /prefetch:1
    3⤵
    PID:5052
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3080 --field-trial-handle=1912,i,17737063613067988559,1942488658621500044,131072 /prefetch:1
    3⤵
    PID:5060
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4320 --field-trial-handle=1912,i,17737063613067988559,1942488658621500044,131072 /prefetch:1
    3⤵
    PID:4724
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4552 --field-trial-handle=1912,i,17737063613067988559,1942488658621500044,131072 /prefetch:8
    3⤵
    PID:5208
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4700 --field-trial-handle=1912,i,17737063613067988559,1942488658621500044,131072 /prefetch:8
    3⤵
    PID:5240
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4916 --field-trial-handle=1912,i,17737063613067988559,1942488658621500044,131072 /prefetch:8
    3⤵
    PID:5364
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 --field-trial-handle=1912,i,17737063613067988559,1942488658621500044,131072 /prefetch:8
    3⤵
    PID:5488
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5836
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x268,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5908
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:6028
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:6100
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 --field-trial-handle=1912,i,17737063613067988559,1942488658621500044,131072 /prefetch:8
    3⤵
    PID:5232
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1896 --field-trial-handle=1912,i,17737063613067988559,1942488658621500044,131072 /prefetch:8
    3⤵
    - Modifies registry class
    PID:6104
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2412 --field-trial-handle=1912,i,17737063613067988559,1942488658621500044,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6124

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1404

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2476

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2260

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3040

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4716

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3840

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1520

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1756

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1772

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2444

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1428

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4032

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3620

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3296

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4824

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3576

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2116

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3964

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4984

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5296
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5772
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
350c97a831c78555b78d30259126c78f

SHA1
e70e356d3e4548f9c0d4fed5e799b2f26204588f

SHA256
b6478ea43ef9c18039b5ca8e753a922dcae90fe594f66fc5b998c78c582d2d6f

SHA512
8ed9cb28b444b3d9d34c0c3869b74d3a98090f6f1fdc8b677082bc3ddd0b45c97a727d8ebb71d3d0e5bf197b64105b38c5a08efc2e86867cfc1364a1374c1c15

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
11a97435a9b0d79564dab1f3fa4bbe33

SHA1
eff7268c8e3fb1a209785cccd9f1b81cc53defdd

SHA256
88ca5f7fd737abb569f1b70f2948acd384034e0ffd9a3fad0777df7fd5b81aae

SHA512
2cd0932f78011c24b03938b55cdf369211d0e7fdc2bfeae4ba1cac83261920e9413619eb113148b18d1335d3fbb03de5ae62ef0ded42be8844bbfb78a7e09cee

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
e885d5009b4dd4b9f97568dc9a487c6f

SHA1
e3a43a401c78e7fef4e32d0d67ef992bc06a815e

SHA256
5968a4b269471a3eb760b4cac35ef16a3f3d689b613b485525ea049fa0286480

SHA512
dffc936404dc18d0c0ded07051a77409d2d85b2c573f0b54c70b471b260523ee742a5a2227e8cf1dafa36fef743b77fb90f62ab45cd6858332d3762147dcfb56

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
887ba00ee2a8e229ea6d731b61aa71c3

SHA1
a8912d0b7d11a6f91d0b6614d2cb58b80d315997

SHA256
097898fdafb2c9cdd562c28505ba0a72ee172fc21101db9cab411f424d2dde97

SHA512
ae0647b4323f79554b2630d6dede7befab016e08ca46c1334bdf96d21a2460cb707bac3de13fb49aa21a796294b2309ad1c5284d4e935b3ea2249ab795a9adb0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
64dc2091cd6a0bb6afbe36c183f83d9f

SHA1
f13e598f71aea773b0ceffb29ef02b50d4e16249

SHA256
6669cee7c5ecfb6b6b968d6ec6de4f98793e5911ef4dc07fd60ba53672eb5232

SHA512
798a27b280da84240b12b93c2819549d46e45076909d57e0b92408350b61f990952bd75bf1f049c77f350b4196afe6719632e431fe690ec17fb6f17c44d51ce1

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\950d3adf-b7be-40a4-85b6-3ecbbbf5d726.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Mozilla Firefox\firefox.exe

Filesize
1.2MB

MD5
1ec567a9d6efa5d1d86c68f4a5647399

SHA1
68dea0c49deaed84824adde041c4b6d986c9a63b

SHA256
dd03652f495f17c23bca881a608963f4996383542a0a984ddbea7ad5c89aa8fe

SHA512
ba7829a2fc1f441ccbcbdd9d599b4a2710db31eb8ac21fabf23ecff850e4419edc9e3cbede68d699d12de85c08ca4095901be4df77283cb2b651a77190cfc0de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
23e6ef5a90e33c22bae14f76f2684f3a

SHA1
77c72b67f257c2dde499789fd62a0dc0503f3f21

SHA256
62d7beeb501a1dcd8ce49a2f96b3346f4a7823c6f5c47dac0e6dc6e486801790

SHA512
23be0240146ba8d857fc8d37d77eb722066065877d1f698f0d3e185fcdae3daf9e1b2580a1db839c1356a45b599996d5acc83fda2af36840d3a8748684df5122

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e88859c4de9aa4ff8aba7874758a960c

SHA1
2cf87a39afe204653907028e31200c9f7ccdb939

SHA256
0f32e2eb1874d463e094c5f33b5acf11f17bca7859451fadd3bcd28c41a4c40d

SHA512
1b2426f07bf21f4cdd0ab695af63bfb6a782aa60739af6999a4c1df9b9990efe4ce921a56f5bb328e1e076245751ce84190ce756c1b83c14d1459ccc0e7ab52b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
f5f2979975cc19b09232821f4a33cf73

SHA1
d9529a48af0ae5242c25717bb36da8f16ccb9fe2

SHA256
f0b80ab2c3417278a7c7af69fdc084e3bc5ecedccef9e53121e432a936728c91

SHA512
0190e1c5047c9f88e4e4fc924041b04e976afc3449bb12bfc2b707b68c9e9cdc8ffc2b3bd4e223682fb4bfdf0125f9bcd752ca1f288a758a8c19825176792e80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
2779b36a57ee394429fcd0e8ceb92eda

SHA1
654be6ae7a04b9e6a8853c9142011d2e30a50ba2

SHA256
55024ae7cf66360966a074b9f475300664abce6576204ec523ba796c3766d6e5

SHA512
986d7527aa0578ce11abf809b2dacc05aa009618228dd48396d909bd0259b49dc4a443ad2486bd5faa703760f19fa83bb3ba339d10d8c044eeef0a5c0b78a2e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe576dfc.TMP

Filesize
2KB

MD5
8441fa327ce1f6c12f371a1535e655be

SHA1
7ccca62179f1eb9a2d47c3886ad8ad4bf5b15071

SHA256
975c8308bab1dce91143c9ad18effdd216bc367fccb3195ec2d4fd50177d2158

SHA512
986088d4595dc5a9e166ecc0b439a878a24d512f236b2756e377050c0cc7423143d3aaa3033ba5163b28fe8551313ff985d6df2ab109117186e878ca4a98d0a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
f962025b5deee96a485e764687d71039

SHA1
a193d1363bf0988f7704feed5c436db8bab0bd0e

SHA256
e248344fd4a17cdfcde3584c284d43c8aa1cefa7dc04278ba35a6f1304411317

SHA512
54c6da90af0bffd214aee8d42a9f8b31362a99b30110f938ba17dedd13d42c763819eb4af30586201f15d8f8518b9b7a0d663fdb656aa06efc26171f04dea92c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
08fe6f478d31a10bfbbb09e025fa662a

SHA1
3748ba957d432ac020488c862aaa329083c2550d

SHA256
27c1f7522c54c26031f4de73d53367bc2963e25b76cf1f0d83c8a7c9385e2d5b

SHA512
9a8686173fcf18e181af3d80f1ff4e2bd9c96b35810a908f18d5528ac58e6afe53ab3f5145dd76d6653065dee29e632341127274e708f61d7d5d7ab5a5c06010

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
c0f10c72e79773584aa9c820c44ca1f9

SHA1
966b1e347ba4777587b763249d5c0aa6d9682ffc

SHA256
ff3319cf14142b9099f9a0710dcad4cbd0881137672dcad352c4c249c6d45fba

SHA512
5558810085e303905c89baa14c877d7691c74a182b3e6f39a88dadb375682d629ff1ad550a557afb9ad8e5ad8f01ce8345e6a02bc0f37c440d3b5e819e3f68ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
9KB

MD5
b0cc937ba7a62379522f3ff7488e56ed

SHA1
4842c224e6d91d5ca10e20077c095fee75c16fa9

SHA256
67bbc07bd905af1453a0b09bde56fdb71c567b2d41a4688e375a617189a284cb

SHA512
0ce18117d98ea1b5efe88e96acc7fc8f9975f651f0522f03723ac100a44a4c6279b9a69cd5a63bf095408aa2f6772082025c4010f36f63e0418b4f4fa9f0baec

Download Submit
C:\Users\Admin\AppData\Roaming\d3f4355c293b476c.bin

Filesize
12KB

MD5
2947c61ae8d5435f0a51aca3a4794885

SHA1
d7cd62c9d6a0927e4cffce4a4278dc10522227a7

SHA256
d9958b7c3cef6c089a22ab01ab1f4463fc7289d93ae7d8ad2179853a05b6e8d0

SHA512
925f8d7f48fb4461aa5c7af0ec15566777cf3d48a3f1f8c6d7b15b0834923fdfaca4cee7482d5a27e6a3886834f6133da425f7c59a5c4189e10a32bde7a2ab1e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
de3d353248d32a0378b8be7000a8fe84

SHA1
4bdb0a2bdae47738fa4476ba9d27761c26f5f601

SHA256
19d4dc318ee64ae4fd43670f5619e66d6c45d81da944a969b95ccd05d691de70

SHA512
5fc9d1c3ae7ac7260c6749da6686b3c1f47c5eaef73b2f836e37397e2691743ac3e1c84011201cf5ea03591ed3d9184fa7904e28c3cb06bfa67df651ec2850d8

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
1c043bda701109d108e32dfb59619b01

SHA1
22842b800ecd038b4d371bb8bcd4f33bb4b72b2f

SHA256
6d7f8b9cb8aecc212dce877f00aea579e965ab0984f9b9f19e310fe9eedbf3c2

SHA512
4ec520eab2ff69c303d6b68d89ff82355cb98c67185e5b61e132d9f4879d059a593eb03422aecb5f1ceae31bbae203053433e47e875259af3eafd34ab33a9849

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
cab745900f9982ef34887b76dc0bbe03

SHA1
a1db53c76c0d5140a506c6905293ea9fa2e642ca

SHA256
8180d39b1fc0a2f6f3e9ec23562f521da30013520d2bb5cb5f67fd27d40a583a

SHA512
17c293f73b6b03af61236c148789bad52a4f5c30f80007d6873d2692a21f46de9dc60dc988d0db3d161da93570d7e5698aa204672820e3ab3e3f1faae634da12

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a41a837379079e88eebbd27fc25dfcba

SHA1
39e5ef47a01277629b3411dd94ff03d6b954ec23

SHA256
a28ab722a1d1094c7e5fc9f49759cb333c26f265f47c568844409c306beee9bb

SHA512
bba47a6d3671f8d7b96967b3c04ff9741aebfc0d269e0e2a0126e193cf3bd972c5ea5b90b5587c26f9fad5cf723f4e7c1df6f463670f9d28fd62cd2a02a4a9cf

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
514d17de8e95ec9b9e5e6f62d0ed6691

SHA1
0cda72209a727e994ab3ecf662e65043e4505684

SHA256
29e05882f1d324219825aaf725c241731b003ddb22e291f1e3b937711e2711fa

SHA512
240749e10f634604ee488e5180b6ca3e971cfb319ea9cdc9d7896a220f6d5a01fa64ef71d0aa1ba68402445553b8dac1c1fc16f499da5888704df488e5865740

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
12f22361a18406dff3128989c1afbe1e

SHA1
23f6dc7bd67839d27a435c28b7a05cd6c73791d6

SHA256
a3870a32f9f258798fbca103b161303447f6d0b2adc004e61a2737ad586181c5

SHA512
9152662f0badbf1dbd0c326261a1ae4ccfadeb5526c4b770b8dfacdb88c6944905d678a74633b1cf27e8a2e93d37c2bff924fedf05b38a620e9a011d103edc4d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
47a330845a51f538c146c0998cbc3aef

SHA1
6716a00a5c6e1a6daf5cbdedf260b154e292c725

SHA256
5f15c014f59c947803c2fe5a7a30c97b32a5c4a688929aa5b25e975a3d014b27

SHA512
39ce2934fc0f4327d235759e84a4fdddc54e8233131dc9db046be8bf658c1d53a02de7d09683f66a2dc47fe5aa291f0ea5d4fd961f7b9982fb08a5dd4e695b9e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
87d1a150a14448aa8f5765315113bed6

SHA1
c51277947d55e38cb73cf656803099a37327fad2

SHA256
5f233b6cb5c2aa7c25a36864fb0ffcd30a746dabf5938c954275f4e52d6e43ba

SHA512
ac8adffba78ee7d412264f3b7c1dedf1f4fc24c1f2b0155ebc4c690f7186b704bca962379cc35bd5ecfd2d03a2dfa311adf44e05761adad2e24792d6021e4171

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
87e80bfd569974c9f134a47c98783ae3

SHA1
1e92e571c1f7561a1883550139a4439f03b833db

SHA256
dc528cdcdc23f5784446c180827332e89ebe15d6dcf6208bf701bbc54d9e81cf

SHA512
44bbad940a1a3b07d1eece6f9faa7fc9e0b2f9816cc46e8710414ccc360b46d457ce99a754658f4ed604e1ffe6926cdba652b33809accf20ce029ca87181fade

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
dae48ae78448167608a086635e1b4d2a

SHA1
f73545e27d644cad1b36164cd211730a0844b4e3

SHA256
a14aca2d1eab7b9dab2c891d1a35d41334f9dd878f17ad7c26ffd18ea1f5685c

SHA512
21e84f9f87bec05d4abd056baa50f353def454dfb3d7cc8cb1fa022274a979df360294b1c444e024ed2d621f07e2f7e28713afcf590091bc4e6fdd34e7252f24

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
ea8d4a1bb8b4d356d1b43f15d6897711

SHA1
aa06bb321381e60285521d35dfd82372de164a73

SHA256
3eeae84d414589b508ddd06c51474a2976ce7a66b2acaadd97f5a4877f3d64b4

SHA512
8d648fe5d9ab8f0bcd4fcfe83c12b68ca762aad7eafd68daf66201e799d33e9f65630c98b7fd797ee8d53ea2557eda2ced5379377ad6f9f0170ac5b6a7716de0

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f4a33fdedd5e6d74edbae21af9939dd5

SHA1
110d73a8308663712406cfaaa4f5f3cfe791ea10

SHA256
0e1718a3a5e611ee0641b7b04771e2b52bf7e6566deeacb2668cf993ce35c75f

SHA512
255889b2f0b4935fd69e944f2b47d49ef3bb0fbb7cd4d61493929b1dd619296afa0baf8f352f9d6fa50a3d819344487c505aacfcab8a8b97c96e21d5afcbe89e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
99d73a95e384215f7c948cae6181c776

SHA1
4091c0adde97a9cfa9fd9278e74f1cb1b716bbd5

SHA256
10ab5aea2e96f19255fbccfa37d09470de303f388a923d79f4620a630b5d9faa

SHA512
5e44a6c4805b8bfbc63799dd9cfdd6b6d75a6feb5114842fa154acab13e716b1f7d4a2cf249699fa3ae0788eb2f15a9e3bd9ef909cfc2ff56daf038b2ed2b11f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
2f1dc38d2d22da94db08c31aeb6dac6e

SHA1
49015dd1c3f33199ea8d218307788fa7f792b4f0

SHA256
719038ff1a3604703b015e6c8d692fd093678acd173cfb332bc0ded0d94637ec

SHA512
434c9d7ff2bd6c08515f168d0767fd3093817fa6117cc43af8ca7eab52eb9df80790a86382a222aef8179fd0bfe064b272670ff119918d4f7f46e44ac0d01fea

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
fd21aa33db40bf7e4ba47249473a0a16

SHA1
20a5429cc815df2e505fa5a9023d5a44c5324c16

SHA256
82437b8d512e891cdcabd79ee47cee1b79c4049943345b175781c99337766506

SHA512
e17f8ce864c495a2e0d8b7c4d711efe00237aad38b8726f5bbdc2483d89a3ba9d41b9529f339714b1f9e18a3c7bd323b16c113bb24b3485dd4d009854a524b3b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e4b695a095acad3deaae5ed2f6c3174f

SHA1
2afadf0c2e765acd73a860e26ae2bace27f4d6dd

SHA256
697790779d3004a7313c84e0568a70d9b902c4ba2b8df85dc7355ad488b57c40

SHA512
28f0a11e5dcefae794e82f2bd116151fadafeef4ec0a46beecc9c169944f1f512079baa1bfcefe8113c50e346af07fcbc9aca01746d9a1344da44faf1b8db09a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
74ab9e9a3344db481c644a567912172f

SHA1
e6ba41815a642f66cec784558844cbf15f9f2906

SHA256
83357b3651913979572661179140be63cc252923b3244a77350019a0aca3d1f6

SHA512
b80b442df45cf81be53d373da707222baab5910a4530a3e556aeb73bf761c9751a3781999836bb53aeeec0a4912500630eb342399c6eaf848b68a4fa9b004a15

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
9c57a76c4b76eddbcc4b5f5d31968b4f

SHA1
2723809a0840e3ba2424a96f314f1cb5e08a4bf2

SHA256
04271863d77140995c9dc037998408e65fd734f38697423dadb8c0f5e13475b9

SHA512
aaf33e9826200d8d9a096d203f9664cb998836573a4541990a69e5f27c55e08403a4a1918ba0e4bde52547d0a6ca9dc37b86af161701628692225e44f5a9a664

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
440112092893b01f78caecd30d754c2c

SHA1
f91512acaa9b371b541b1d6cd789dff5f6501dd3

SHA256
fdf37f8111f0fabb5be766202a1a0b5a294818c4c448af0fec9003242123e3e6

SHA512
194c7b90414a57eb8f5ba0fc504e585ab26b2830ed0aae29cf126d5a6c4888d508c22984aeedec651c8644fb1f874fa558b2090488516b33165fe7985d2815ea

Download Submit
memory/928-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/928-22-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/928-9-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/928-25-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/928-6-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1404-32-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/1404-317-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1404-28-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1404-40-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/1428-184-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1440-20-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/1440-11-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/1440-301-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1440-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1520-180-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1688-65-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1688-63-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/1688-57-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/1688-90-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/1688-92-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1756-181-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1772-182-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2116-286-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2220-280-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2444-183-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2476-51-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2476-53-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2476-45-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2476-530-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2476-52-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3040-291-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3040-74-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/3040-76-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3040-68-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/3296-635-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3296-210-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3576-285-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3620-186-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3620-629-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3840-106-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3840-94-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3964-641-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3964-288-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4032-604-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4032-185-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4052-287-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4052-640-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4716-80-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4716-87-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4716-623-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4716-86-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4732-248-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4984-642-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4984-302-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/5296-643-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5296-318-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5836-504-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5836-594-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5908-535-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5908-671-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6028-550-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6028-583-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6100-776-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6100-578-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download