f03e6d794fae210a1ba763420f8eacb9d12c5cd3036f83cf000494b9c62130d9

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08/06/2024, 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
Size

5.5MB
MD5

50f6d732a1f9b0faf11aa17f3264fc50
SHA1

2fbe617f611f814867e9f81399d76429ac96cb49
SHA256

f03e6d794fae210a1ba763420f8eacb9d12c5cd3036f83cf000494b9c62130d9
SHA512

4f05fc19be416ed7680ee78a3d18371e723ea3b6b2e40fe8767c5ee8c06dc4fbf8555edd509dec02de381d3d42587e8056910d5b61eef89e2308fa0afbba7bae
SSDEEP

49152:uEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfr:0AI5pAdVJn9tbnR1VgBVmLlI7K2mF9

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
3500	alg.exe
2184	DiagnosticsHub.StandardCollector.Service.exe
2684	fxssvc.exe
448	elevation_service.exe
3712	elevation_service.exe
2156	maintenanceservice.exe
2956	msdtc.exe
4468	OSE.EXE
3120	PerceptionSimulationService.exe
1708	perfhost.exe
2036	locator.exe
208	SensorDataService.exe
2764	snmptrap.exe
1356	spectrum.exe
3036	ssh-agent.exe
3728	TieringEngineService.exe
3968	AgentService.exe
712	vds.exe
3016	vssvc.exe
2912	wbengine.exe
4880	WmiApSrv.exe
3604	SearchIndexer.exe
5784	chrmstp.exe
2156	chrmstp.exe
5780	chrmstp.exe
6172	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\cceacf4ac3a5208d.bin	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaw.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002403120053b9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000466140053b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a51e110153b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000059d9480053b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c17f320153b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bfc99d0153b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e584a0153b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ea3d2c0053b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d6f4470153b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ddeee20153b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133622904904958670"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4004	chrome.exe
4004	chrome.exe
2316	chrome.exe
2316	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4736	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
Token: SeTakeOwnershipPrivilege	4632	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
Token: SeAuditPrivilege	2684	fxssvc.exe
Token: SeRestorePrivilege	3728	TieringEngineService.exe
Token: SeManageVolumePrivilege	3728	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3968	AgentService.exe
Token: SeBackupPrivilege	3016	vssvc.exe
Token: SeRestorePrivilege	3016	vssvc.exe
Token: SeAuditPrivilege	3016	vssvc.exe
Token: SeBackupPrivilege	2912	wbengine.exe
Token: SeRestorePrivilege	2912	wbengine.exe
Token: SeSecurityPrivilege	2912	wbengine.exe
Token: 33	3604	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3604	SearchIndexer.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe
Token: SeShutdownPrivilege	4004	chrome.exe
Token: SeCreatePagefilePrivilege	4004	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4004	chrome.exe
4004	chrome.exe
4004	chrome.exe
5780	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 4632	4736	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe	89
PID 4736 wrote to memory of 4632	4736	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe	89
PID 4736 wrote to memory of 4004	4736	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe	90
PID 4736 wrote to memory of 4004	4736	2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe	90
PID 4004 wrote to memory of 3432	4004	chrome.exe	91
PID 4004 wrote to memory of 3432	4004	chrome.exe	91
PID 4004 wrote to memory of 5668	4004	chrome.exe	117
PID 4004 wrote to memory of 5668	4004	chrome.exe	117
PID 4004 wrote to memory of 5668	4004	chrome.exe	117
PID 4004 wrote to memory of 5668	4004	chrome.exe	117
PID 4004 wrote to memory of 5668	4004	chrome.exe	117
PID 4004 wrote to memory of 5668	4004	chrome.exe	117
PID 4004 wrote to memory of 5668	4004	chrome.exe	117
PID 4004 wrote to memory of 5668	4004	chrome.exe	117
PID 4004 wrote to memory of 5668	4004	chrome.exe	117
PID 4004 wrote to memory of 5668	4004	chrome.exe	117
PID 4004 wrote to memory of 5668	4004	chrome.exe	117
PID 4004 wrote to memory of 5668	4004	chrome.exe	117
PID 4004 wrote to memory of 5668	4004	chrome.exe	117
PID 4004 wrote to memory of 5668	4004	chrome.exe	117
PID 4004 wrote to memory of 5668	4004	chrome.exe	117
PID 4004 wrote to memory of 5668	4004	chrome.exe	117
PID 4004 wrote to memory of 5668	4004	chrome.exe	117
PID 4004 wrote to memory of 5668	4004	chrome.exe	117
PID 4004 wrote to memory of 5668	4004	chrome.exe	117
PID 4004 wrote to memory of 5668	4004	chrome.exe	117
PID 4004 wrote to memory of 5668	4004	chrome.exe	117
PID 4004 wrote to memory of 5668	4004	chrome.exe	117
PID 4004 wrote to memory of 5668	4004	chrome.exe	117
PID 4004 wrote to memory of 5668	4004	chrome.exe	117
PID 4004 wrote to memory of 5668	4004	chrome.exe	117
PID 4004 wrote to memory of 5668	4004	chrome.exe	117
PID 4004 wrote to memory of 5668	4004	chrome.exe	117
PID 4004 wrote to memory of 5668	4004	chrome.exe	117
PID 4004 wrote to memory of 5668	4004	chrome.exe	117
PID 4004 wrote to memory of 5668	4004	chrome.exe	117
PID 4004 wrote to memory of 5668	4004	chrome.exe	117
PID 4004 wrote to memory of 5788	4004	chrome.exe	118
PID 4004 wrote to memory of 5788	4004	chrome.exe	118
PID 4004 wrote to memory of 5824	4004	chrome.exe	119
PID 4004 wrote to memory of 5824	4004	chrome.exe	119
PID 4004 wrote to memory of 5824	4004	chrome.exe	119
PID 4004 wrote to memory of 5824	4004	chrome.exe	119
PID 4004 wrote to memory of 5824	4004	chrome.exe	119
PID 4004 wrote to memory of 5824	4004	chrome.exe	119
PID 4004 wrote to memory of 5824	4004	chrome.exe	119
PID 4004 wrote to memory of 5824	4004	chrome.exe	119
PID 4004 wrote to memory of 5824	4004	chrome.exe	119
PID 4004 wrote to memory of 5824	4004	chrome.exe	119
PID 4004 wrote to memory of 5824	4004	chrome.exe	119
PID 4004 wrote to memory of 5824	4004	chrome.exe	119
PID 4004 wrote to memory of 5824	4004	chrome.exe	119
PID 4004 wrote to memory of 5824	4004	chrome.exe	119
PID 4004 wrote to memory of 5824	4004	chrome.exe	119
PID 4004 wrote to memory of 5824	4004	chrome.exe	119
PID 4004 wrote to memory of 5824	4004	chrome.exe	119
PID 4004 wrote to memory of 5824	4004	chrome.exe	119
PID 4004 wrote to memory of 5824	4004	chrome.exe	119
PID 4004 wrote to memory of 5824	4004	chrome.exe	119
PID 4004 wrote to memory of 5824	4004	chrome.exe	119
PID 4004 wrote to memory of 5824	4004	chrome.exe	119
PID 4004 wrote to memory of 5824	4004	chrome.exe	119
PID 4004 wrote to memory of 5824	4004	chrome.exe	119
PID 4004 wrote to memory of 5824	4004	chrome.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Users\Admin\AppData\Local\Temp\2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-08_50f6d732a1f9b0faf11aa17f3264fc50_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8be60ab58,0x7ff8be60ab68,0x7ff8be60ab78
    3⤵
    PID:3432
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1908,i,7306925940710600385,11399375883667711084,131072 /prefetch:2
    3⤵
    PID:5668
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1908,i,7306925940710600385,11399375883667711084,131072 /prefetch:8
    3⤵
    PID:5788
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2060 --field-trial-handle=1908,i,7306925940710600385,11399375883667711084,131072 /prefetch:8
    3⤵
    PID:5824
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1908,i,7306925940710600385,11399375883667711084,131072 /prefetch:1
    3⤵
    PID:5876
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1908,i,7306925940710600385,11399375883667711084,131072 /prefetch:1
    3⤵
    PID:5908
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4292 --field-trial-handle=1908,i,7306925940710600385,11399375883667711084,131072 /prefetch:1
    3⤵
    PID:4128
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4432 --field-trial-handle=1908,i,7306925940710600385,11399375883667711084,131072 /prefetch:8
    3⤵
    PID:5684
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4476 --field-trial-handle=1908,i,7306925940710600385,11399375883667711084,131072 /prefetch:8
    3⤵
    PID:5692
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4544 --field-trial-handle=1908,i,7306925940710600385,11399375883667711084,131072 /prefetch:8
    3⤵
    PID:5780
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 --field-trial-handle=1908,i,7306925940710600385,11399375883667711084,131072 /prefetch:8
    3⤵
    PID:3320
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5784
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:2156
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5780
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:6172
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 --field-trial-handle=1908,i,7306925940710600385,11399375883667711084,131072 /prefetch:8
    3⤵
    PID:5868
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1836 --field-trial-handle=1908,i,7306925940710600385,11399375883667711084,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2316

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3500

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2184

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1156

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:448

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3712

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2156

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2956

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4468

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3120

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1708

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2036

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:208

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2764

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1356

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1088

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3728

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:712

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4880

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3604
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:7156
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4456,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=4504 /prefetch:8
1⤵
PID:6060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
0fe5a1e3ccefa24412e4ee5545f8c11f

SHA1
4623dc2241888244728db377d1db82eb5e796e96

SHA256
84f290ae922e4edb94dd7b80af6875bc24c89764a387a60a7d85d70a97098f30

SHA512
d1d398130663ac80de73ba93b9f4ddaefb3bcf8b467c4ac2be67830d0c473578dda774b3626bf5a4d10eec2e8df47818c2695e2b89716f994ca68a009186cf56

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
d797b71fecafd0f10aee848d5dcb87eb

SHA1
7abaa84fa3622212fd9b81de45f263dacddb6bde

SHA256
6ae8dabf4c920da7f28119ae3837532ca5b7e59198a40b3a869be5a6f4967056

SHA512
6f5fb1bd217e616ba88fa9a060267b7e3c66ae9c8572277fec9a01e5ae5748a1c6d7e4cda98f40d487326567afb01dd6c42aaa6ab1f800a5b99dfc53b30e1b08

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
8c3c0d03b5694d2e1930b164f55b2345

SHA1
b8cb518797b0f3877c9c9fb57aa227360762d3b3

SHA256
a5a598127fb886957f83e19bb45d247c7bbf22a1b022d2ba02d2f2421f9440fe

SHA512
2c2ccfa68577db0d95858ce20b8941525313a7fb504dc79cf40f92bca40737a37ecdd99481bd3704a3fd84348c03bf7c95a01a197e944c8bc7824aeced597dee

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
9a7f6ecb4cd0b6bba9113be8d3e79ef0

SHA1
37ac70d18ccaec08e65d86a01f916fa18856cbff

SHA256
1da81faf6ae0c5c3db0e265240a062178267050d682e3add91770470fb910660

SHA512
6e5c6238e311fb95775ce7069404f57f35365bb5f218e276232583ac23b7730dd88e78cace4ff9dfd75ffa3f7ee477c6c347ad1b8a68e80c57b4e8beead398a0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
4c769e238787a7a6b499fc49a465c306

SHA1
422e718f10b06ea47b462f70b61a4924aff0486d

SHA256
db3aa469c76d83ab39baef58e358f45505be28fc2d7e69f1b0acbc5e71790f1a

SHA512
4ead19961a4904e91df3e3493b44ced78e688db6c57e044d3e951a7028d89d8d56c4ce72533819284efb75a3a36c81a01dbd4576d513da36c329e78b435629ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
e646991f9b7863013f4543e5deea2d49

SHA1
7d3ab1c249b15c5bc5761baef819fa96b043539a

SHA256
0cc277125b5bd55a7c42e32f351b5bce3ca6003f28bc0646db5bc6b9b5135c07

SHA512
8b7b264f086ee2d1c1ec1199307d6511ce964890e84312a1c12c21a0a1fac24d6bf005a2ded820ecae3b51b58229a8ce724e98e40b03e1f93d3914948025a76f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
34KB

MD5
71079f7e878d0e10d2c8456b9594602e

SHA1
4c0e8bd9dd486e054b9dbf9956b4a2f6c72e5d1d

SHA256
d7fc69dc2e20a0f0a46063b0290b9be552396489952ba6205d5e0c052d08944e

SHA512
d8cefcb2cfe9f4e731f38f83354bd5956687220473e1f96c7ed242b9ebedcef0aa80b31733aafeba44789322b721e21a272fd234e61430f89a7e7f53247dcb8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
652e2159d457e0061462315e6431d76f

SHA1
e6182fbf217fceecb0ce00a842ee303553c68124

SHA256
45a7059d11a9e1eb18f9f552a37044d7d2dc64d4903bea01ee33a0b88ed58656

SHA512
6b58e5cd62b198d9b9c8fe354622a4dd8e9066a3ceb5442e8bf605983350270544f3f2761a0417d87d3744f89e9a818a2bce94f46e59339078b6d33830898c8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
bf91efa5d1815fa4b74bed8b94e9ca88

SHA1
a747117b1af32518db7aa75ed969f5160ff22cd9

SHA256
36656e206669731ca319783299b9fd3be0e4e38bf680b8954f0d2d957e1d86e1

SHA512
dedfc1a91ceb3a598e9fddcae78c9f6395150dc52eb711a0c1f6fdf21ebe53675e03bc367f1a780f48e730ac9bf91ded45b9c64b71efa8faa4b80a58a3a5f721

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
6869cdb89951c1db2516c0dd583353c4

SHA1
b86efe55ed07482258e1408693e4fe0884868ae9

SHA256
82b4f19d0c2a69176232454a7a4b6e9b3f82f9a0037b39b5e9889116e6cc7d8b

SHA512
96623b42cbc92820a8a02f1eb6fa52742a5eb08b10e77d789f6df7943cf323e19654778ede495363b21aa2e7494ae56d64f9087a317126eb879453504c7204f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe581a3a.TMP

Filesize
2KB

MD5
c4d12c24a85b7e1aaf85cad983fe7610

SHA1
00bcb6e962cbc5a3d88689ec2f8c15feda6ff7fb

SHA256
6568b506f3cb4367abf414e66e1e93a4d4e40339dd3a2a1d5ded1f1907484337

SHA512
0d45cd5f36424147b7a67d4f154539d9ddde285cb363a139c5922814e6073cf731d61902a7eb84e9ac6547bcd52e65b023a2f97636072db478ccd04495a59aa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
fc9d1c8bbfb62e1c6096b3d8e81a58e2

SHA1
8a26a1fde6eba1d3cfb8d807159375bcec523c25

SHA256
c101250051be28bbf298dbfad0de69fcdbf55c86839866e6f4a6f87d7a7bae29

SHA512
318ff7809f8b0e8a654e9ce2929a5ae7e78ae1d7d9c90432f0b9acd78c319cbbbd3f7c3b1fd684ab1bcb4f8f8399eff6588f5d28ac81257c18ce487daf353f2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
263KB

MD5
21a96c9823abd88920fd85c216740989

SHA1
12cd0e6e3488a5cbe7d8e0775ef36d253bdd7a01

SHA256
0e2ad43699a269daa776729ba42e424778dfefbf3ebcc4d8f9417dadccb85a1a

SHA512
9922119f51f1a6ef8f9b5b89bd9d9bcd3c8ac1690c73af290d165dab9b059a165a422d7c40b5b8d0554527f5cef62b2868e527449bcd1eb9da2547a11e321ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
d2a049a7e316b37b51def7d3209be393

SHA1
01a343a8f46c1fda27f24886a10ba6adff136f95

SHA256
8b96c5fc15e837df5752197bd2be9c0c2bbacb88de43f4a5d4649ee94a077be0

SHA512
9913173734eeeb955ad0cd2308cb5a2c83f3d7a75694730cf3c7a27579ba3c3e02b233eedc0285d1623bf3ba9fb49bfd76ae2c05f88fc3b257f5a1743121813d

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
01bd8bfe218960cf7e5a68e46a98ad7f

SHA1
d6f4bdc8be21ae5d9c29af1ebb187e8a49264ecd

SHA256
8c90bc26a64436cd358706f69e857fa943964f201f8e03363023f45c44e9d286

SHA512
8dd159c0f468aacfa75df5e22f961d1a51496485d8cc490f4fb7c29783bc39970469b7b2795e3da32b0e62795ddc06588b8865dcb74b9690c994b074c08cf7b0

Download Submit
C:\Users\Admin\AppData\Roaming\cceacf4ac3a5208d.bin

Filesize
12KB

MD5
c274728e6b22d449c2c05e28d8a80ce9

SHA1
aa16e2f6886905973fce0c56e55deef9c947e2ab

SHA256
e07971d659ff261890de943611d7da41a1b95f2812e7f671f5ae2618d66709f6

SHA512
aa08a5b4efba7ea0f197d77fb01e5cea9195fd028f8233c699ea71a83445d60d9269e04b46841d3d5d87dee43fe9197ba8a91047c0b415ff807ba1eb6c33dfb5

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
55272e5dbc3d06b6a41f1e98db2524e1

SHA1
9ece79d139fae1ad6c04e47472f370c57373e57e

SHA256
8c4e0a26beb2e17cf13149a816d04dc906b0c0db508d3dd3dd0e57f1944744d5

SHA512
54459b0c3468837895589eec161f677b069e4f368f6e1418f346ca9f187e6fe72acf758240215d553fcb95453ff6def651d7896a893daedb44dec2ef61c30e82

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
fa5e60434f32d887140f0c2d97bedf5a

SHA1
ab18ce66f48b63318c81d981f5f911f450cf8e49

SHA256
ae6d3edae31a103754bf8fb19e465a47e288d1df3eebc13869353291406b01c8

SHA512
ab8c42a1acded6846f457c7711621381cefc0177678eac5d84eb5a757db2f936c6b8f0ce9f9881f1e2cbacf161a2a0f0025fbed7bd6c0698f1271fc88f2241f7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
4b7ea04bab8e96a48164384ef1000ce1

SHA1
2c495a620a0d3ab83ab53b27124f8e156a80035a

SHA256
40a3c7a0842aefb17b669c84e530a20e1d720962aa4b80e7289b9cb2b6d05c0b

SHA512
e411f49f4983f0cf871c2db1587972cddfe42eab8a6a6f752d0f7318cd8f6ecfc98a26963c43da09da5f44f6a3cb5f3da6c6a09a48a1cde5b5a1afe37317ea56

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
04c7c49d46b91c541eea4b4479f05e6c

SHA1
72e7be1fc6ee6e60c49b3dc8c684b8a1b45c7a36

SHA256
594ed463dc7867aeb62ebc77620ad125706a0dcf4e3ccc15dc2a2f989ee5b7f9

SHA512
4958e06ef1b98b60178425afd666cf3913dd8c880631e18f3e53ca415fdf084020c633e2c460ef3f7d5c6b708d90a64652201098c37ddcc2aada2be20bc58950

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
c664ccbeb89c44f68accfbd35b959865

SHA1
9de642a81fe68f23aab94ff4700389377bf0b45e

SHA256
a3c0c1452b8333855c393b27d130020536dbe6730c8b11a46a621594ae472623

SHA512
4750e2c65c7867f8940801665f6a356a1d73c91508201e5a05645054eb1a07ec200dcb3413d2535a5710a6cf22bedd43844da2342bc77aefa33b30eb404caaf7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
87884d8fef65a8dec1abefaafa06da4b

SHA1
1a3d92473e8878b31587c78714bef1aad64c3c19

SHA256
0a185e09b155f2c45d62e2fca1636f3f441375d008a6103f15415635f3959670

SHA512
e1d17847a46a53c8a2183569f8bb2ced0f6a80d499d15701fb2b8235fa92d0f5fd7a817e7d11ad0d845458b372502382b5e82fbfdee2912d125aa18917dc9aad

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
6c650e6ea521def2ca0018b26d841c5f

SHA1
123bdb90af4e80e4e7920a7bdfb5f9ec1e3f7336

SHA256
53ae06f287cebd574c4213bd9aac9ab64e1ecd6d84ac106ec0a283dbe7c9955e

SHA512
a336122b2b8dcad28efbaf272d79d1d41665294e9440861eae32fca9bb380562f8c57f9876a9c33e794a791edb9dd8d73f5f49c6ab262efbeb5fd1d0b91f63ef

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
00d38f605353ad8adca1c79848d7a06d

SHA1
009e714600a506edb8a5486c5fdc2960a8a714d1

SHA256
80f1490f49eb635c2a3cf2abf1441a8fcde4791ae41fcbe1d06f714384e6d474

SHA512
5dc4ed455b2044e659511d5f4dca4e421b84fe4e90f340a03b7355e482bdbbe09ee98d4df813a65b38404990310eb3f0c5d05bea6d0790e490b69609a7c9cc98

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
688a9405b85c43313889f8dc02ed6a1c

SHA1
68023be6ca8c12c5c87b128ab1f44419cadcf386

SHA256
5b98627ea0bbfda60202c4123fcedbfc0c9c6fb659c774128b0ac39b8219ac16

SHA512
df3429339ecd6b55bfcba6dbeee29f55d6a21dc6c05cab1b49f65dcc0d3ba3957eb7f34ccbb445c3e35928c699b17164ae5fee14547bf1c20309334132dfaaaa

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2255f958735d7638d06df4170cdf6041

SHA1
073c9ed5941f3f566b1a86a930e99234ae5cf416

SHA256
0fef86d94cbe331c317c7d9bf7842859320ff9e1587c60f253db2a80dddd2aa2

SHA512
b46be3355d2cf204821c0be2a6e0db7bad593fb6138bf2893376769e4b0e9afe5cbfe31b4db852b6fc497189fc985f4c1f6ae1973e0b9ef80c4a8f702dafef16

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
deb825ec24dee62e6d708b234c1cfddf

SHA1
f742dd47ca4757f3d05c23be3454d0a8d3b5eeb3

SHA256
099ee6c7ad600977c7bb56b49068f6190c21e27744cbd5200593d5c5c37db461

SHA512
8ddb01ff90d6e9e35089172cb28a8ae3398bd4c3d131ba876992fb875d3a4f2fb9d9c23e8041cd9ef8224772f282b2d2426af3cb7dbacc0d8cf668db8060f77a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
77fef94c6475a9785315c1c869d79fe9

SHA1
aafcf94218eea4c3620e70907f181cc85e26d3e1

SHA256
dc5375ed099f56642401d2239dbe595d3de04dc90ea8506f800e82ce257f3e37

SHA512
6a806b19db8e6767de3c078e54aa740038ce59fa4e20766a2b38bd9da64b2895d7de6a05b8d8746af7d5a46c3a421b2775873aae76a8cb5f87a7cc02de17a539

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
82d410fb9e2146bbb4223c66631cfd75

SHA1
07346ec79d054328ca7443f918efab96c1d52971

SHA256
f2d0d03dfcfd0086f01150f87861cf55189c8ca5228926d08d1166bd06d138be

SHA512
d810a979fe8ac1ad8fd5944cb9b03b5009d6238a4fda405601a2d03b127145444b1b310571f672eb9814d7196041f031b25d0f69812ea9cee82e7b61e489a1ca

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
d218ecf95bdd3111ba37ea25bd22a208

SHA1
f609c5e6548a7fda7512910b64cf478f9bb9c037

SHA256
2ac696a56a772382f0bab55482becbd076188d34f1fa9dd165b23e5c9972ea05

SHA512
b175e16fde2833f1dd69ab2e29c61a1939365fee58d087a375e6d27cc7388a5cfd64c242c56c6872ad4569df927e0256ace3454bf9f025c880ad4b1cfa5ff6c2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
b0e028d8331da5d34a355a4af6b7f308

SHA1
02176774b8249f3918e218cc618913c0c391f559

SHA256
2249b774ade5b38ee5238c4913c516f5b833cfa5e26ee7629a1dc68f2d02f375

SHA512
0478f4139b68ee93caa6b2a5a5f95a3515027201bc6c83d557aacadb05276010b7bc1dd3176a83e67ac0149208f20a94e3102c19236b1019f266e6d56396f405

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a77ebbd1876927faf7fb9494d9b590e2

SHA1
3bb9dd1a90dcb4cd4ce977244386dc8320c58a86

SHA256
dd4bbb331ad678a5a1a38024665fd3744f06a2fdd70b1f840bd8bb828ae453d5

SHA512
5d79e88fea55993f4c6bd259f09b99e3920b9ffe20669fad25900254a86de69d7d4541eaf0a67313721a48e4b29dda7700674faa2260a7f9e495254c9f17027b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
2086f61ec89659cd93afab85000bd00a

SHA1
952605df587180f0b60166309860332d05136f03

SHA256
030049eb8544c66fd5783d95ffaa5335b94b88782bef41f57cfddb170171f216

SHA512
ab349ed0314f82bd0ffe68f097e9f03e9dbdc5c64717bdd3370d461042485480e6de06fa007ee93f84f40a2d6058dbc93c35ac9e5b43aef1b9af306754e0e06c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d8f6bd1a664a71a3594acc7d25703ef8

SHA1
278005805781c9b77e52bb89e07eff38d80ca0ee

SHA256
76c1990cacf51a845f2d6d68bd60c450927466c525401c493f2cae87c1815c7f

SHA512
349d5e56faef9024c32ec915d3ae685c72d68c134d2e4c20245cac974a24c7f22ac32330989445b74f149145e9e6e12a9d87f3d70eaef096ddd4976ad7be7327

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
de12892063f81f60b11c0497ec332fa7

SHA1
ccfa0530f55d277c3fe6d75260088ae08d5b7616

SHA256
afd8ccad757251c38eecbb67fc9f41af5aecfec62b521b229c5b17e17ba05eae

SHA512
441e809f431b7d1715efa1a6eeda910ba6945b9529a6330cf964a1d8f7233e97893e6eac6758abbeca4c61d315829371fa2e2fa02a5b838d1fb79e7a43b6d7ca

Download Submit
memory/208-590-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/208-338-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/448-67-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/448-454-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/448-73-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/448-75-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/712-350-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1356-340-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1708-336-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2036-337-0x0000000140000000-0x00000001401D8000-memory.dmp

Filesize
1.8MB

Download
memory/2156-715-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2156-94-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2156-88-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2156-98-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/2156-103-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/2156-548-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2184-46-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2184-564-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2184-45-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2184-52-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2684-65-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2684-62-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/2684-56-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/2684-106-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2764-339-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/2912-354-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2956-117-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3016-353-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3036-346-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/3120-334-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/3500-39-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3500-31-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3500-40-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3500-537-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3604-360-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3604-630-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3712-97-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/3712-626-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/3712-78-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3712-84-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3728-347-0x0000000140000000-0x0000000140225000-memory.dmp

Filesize
2.1MB

Download
memory/3968-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4468-333-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/4632-536-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4632-18-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/4632-12-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/4632-22-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4736-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4736-25-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4736-21-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4736-9-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4736-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4880-629-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/4880-359-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/5780-587-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5780-562-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5784-597-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5784-539-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6172-575-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6172-716-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download