1ac1defc397757ff2fd0976cfb2021a48f86e09812298df782b47861e1961d60

Analysis

max time kernel
149s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
Size

5.5MB
MD5

84f83370368201cbaf027738b3a347d4
SHA1

23c19659f7320a1f6fbecff11355699f38dec1da
SHA256

1ac1defc397757ff2fd0976cfb2021a48f86e09812298df782b47861e1961d60
SHA512

01097b4464e02fbab0775cec67721d73a07c17192cd9d7a953cc291ed5a21a0aeba478410f70ea073edc12697cc62b789c0525179fc29537086ff7f80f24f235
SSDEEP

49152:yEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfS:YAI5pAdVJn9tbnR1VgBVma8t4C7

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
908	alg.exe
3096	DiagnosticsHub.StandardCollector.Service.exe
388	fxssvc.exe
3600	elevation_service.exe
2992	elevation_service.exe
2560	maintenanceservice.exe
1872	msdtc.exe
4776	OSE.EXE
1680	PerceptionSimulationService.exe
3436	perfhost.exe
3880	locator.exe
1232	SensorDataService.exe
4568	snmptrap.exe
1788	spectrum.exe
3816	ssh-agent.exe
736	TieringEngineService.exe
3012	AgentService.exe
2064	vds.exe
2376	vssvc.exe
460	wbengine.exe
2784	WmiApSrv.exe
4900	SearchIndexer.exe
5996	chrmstp.exe
6120	chrmstp.exe
3504	chrmstp.exe
5388	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\75e4bdff1ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\java.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4b39274bdbbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bc95597cbdbbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000042e4677cbdbbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000396bab74bdbbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000919fae74bdbbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d90d57cbdbbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000092a2e87cbdbbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d9f1ac74bdbbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005bd4ba74bdbbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2936	chrome.exe
2936	chrome.exe
6112	chrome.exe
6112	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	392	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
Token: SeTakeOwnershipPrivilege	1296	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
Token: SeAuditPrivilege	388	fxssvc.exe
Token: SeRestorePrivilege	736	TieringEngineService.exe
Token: SeManageVolumePrivilege	736	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3012	AgentService.exe
Token: SeBackupPrivilege	2376	vssvc.exe
Token: SeRestorePrivilege	2376	vssvc.exe
Token: SeAuditPrivilege	2376	vssvc.exe
Token: SeBackupPrivilege	460	wbengine.exe
Token: SeRestorePrivilege	460	wbengine.exe
Token: SeSecurityPrivilege	460	wbengine.exe
Token: 33	4900	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4900	SearchIndexer.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeCreatePagefilePrivilege	2936	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
3504	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 1296	392	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe	82
PID 392 wrote to memory of 1296	392	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe	82
PID 392 wrote to memory of 2936	392	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe	83
PID 392 wrote to memory of 2936	392	2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe	83
PID 2936 wrote to memory of 3664	2936	chrome.exe	84
PID 2936 wrote to memory of 3664	2936	chrome.exe	84
PID 2936 wrote to memory of 2304	2936	chrome.exe	113
PID 2936 wrote to memory of 2304	2936	chrome.exe	113
PID 2936 wrote to memory of 2304	2936	chrome.exe	113
PID 2936 wrote to memory of 2304	2936	chrome.exe	113
PID 2936 wrote to memory of 2304	2936	chrome.exe	113
PID 2936 wrote to memory of 2304	2936	chrome.exe	113
PID 2936 wrote to memory of 2304	2936	chrome.exe	113
PID 2936 wrote to memory of 2304	2936	chrome.exe	113
PID 2936 wrote to memory of 2304	2936	chrome.exe	113
PID 2936 wrote to memory of 2304	2936	chrome.exe	113
PID 2936 wrote to memory of 2304	2936	chrome.exe	113
PID 2936 wrote to memory of 2304	2936	chrome.exe	113
PID 2936 wrote to memory of 2304	2936	chrome.exe	113
PID 2936 wrote to memory of 2304	2936	chrome.exe	113
PID 2936 wrote to memory of 2304	2936	chrome.exe	113
PID 2936 wrote to memory of 2304	2936	chrome.exe	113
PID 2936 wrote to memory of 2304	2936	chrome.exe	113
PID 2936 wrote to memory of 2304	2936	chrome.exe	113
PID 2936 wrote to memory of 2304	2936	chrome.exe	113
PID 2936 wrote to memory of 2304	2936	chrome.exe	113
PID 2936 wrote to memory of 2304	2936	chrome.exe	113
PID 2936 wrote to memory of 2304	2936	chrome.exe	113
PID 2936 wrote to memory of 2304	2936	chrome.exe	113
PID 2936 wrote to memory of 2304	2936	chrome.exe	113
PID 2936 wrote to memory of 2304	2936	chrome.exe	113
PID 2936 wrote to memory of 2304	2936	chrome.exe	113
PID 2936 wrote to memory of 2304	2936	chrome.exe	113
PID 2936 wrote to memory of 2304	2936	chrome.exe	113
PID 2936 wrote to memory of 2304	2936	chrome.exe	113
PID 2936 wrote to memory of 2304	2936	chrome.exe	113
PID 2936 wrote to memory of 2304	2936	chrome.exe	113
PID 2936 wrote to memory of 3944	2936	chrome.exe	114
PID 2936 wrote to memory of 3944	2936	chrome.exe	114
PID 2936 wrote to memory of 4464	2936	chrome.exe	115
PID 2936 wrote to memory of 4464	2936	chrome.exe	115
PID 2936 wrote to memory of 4464	2936	chrome.exe	115
PID 2936 wrote to memory of 4464	2936	chrome.exe	115
PID 2936 wrote to memory of 4464	2936	chrome.exe	115
PID 2936 wrote to memory of 4464	2936	chrome.exe	115
PID 2936 wrote to memory of 4464	2936	chrome.exe	115
PID 2936 wrote to memory of 4464	2936	chrome.exe	115
PID 2936 wrote to memory of 4464	2936	chrome.exe	115
PID 2936 wrote to memory of 4464	2936	chrome.exe	115
PID 2936 wrote to memory of 4464	2936	chrome.exe	115
PID 2936 wrote to memory of 4464	2936	chrome.exe	115
PID 2936 wrote to memory of 4464	2936	chrome.exe	115
PID 2936 wrote to memory of 4464	2936	chrome.exe	115
PID 2936 wrote to memory of 4464	2936	chrome.exe	115
PID 2936 wrote to memory of 4464	2936	chrome.exe	115
PID 2936 wrote to memory of 4464	2936	chrome.exe	115
PID 2936 wrote to memory of 4464	2936	chrome.exe	115
PID 2936 wrote to memory of 4464	2936	chrome.exe	115
PID 2936 wrote to memory of 4464	2936	chrome.exe	115
PID 2936 wrote to memory of 4464	2936	chrome.exe	115
PID 2936 wrote to memory of 4464	2936	chrome.exe	115
PID 2936 wrote to memory of 4464	2936	chrome.exe	115
PID 2936 wrote to memory of 4464	2936	chrome.exe	115
PID 2936 wrote to memory of 4464	2936	chrome.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:392
- C:\Users\Admin\AppData\Local\Temp\2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-11_84f83370368201cbaf027738b3a347d4_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff4880ab58,0x7fff4880ab68,0x7fff4880ab78
    3⤵
    PID:3664
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1908,i,2084932169269487740,1893399026095779102,131072 /prefetch:2
    3⤵
    PID:2304
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1908,i,2084932169269487740,1893399026095779102,131072 /prefetch:8
    3⤵
    PID:3944
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1908,i,2084932169269487740,1893399026095779102,131072 /prefetch:8
    3⤵
    PID:4464
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1908,i,2084932169269487740,1893399026095779102,131072 /prefetch:1
    3⤵
    PID:880
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1908,i,2084932169269487740,1893399026095779102,131072 /prefetch:1
    3⤵
    PID:1492
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4304 --field-trial-handle=1908,i,2084932169269487740,1893399026095779102,131072 /prefetch:1
    3⤵
    PID:5420
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 --field-trial-handle=1908,i,2084932169269487740,1893399026095779102,131072 /prefetch:8
    3⤵
    PID:5944
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5996
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x80,0x274,0x278,0x270,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:6120
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:3504
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x294,0x298,0x29c,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5388
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4808 --field-trial-handle=1908,i,2084932169269487740,1893399026095779102,131072 /prefetch:8
    3⤵
    PID:1164
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1012 --field-trial-handle=1908,i,2084932169269487740,1893399026095779102,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6112

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:908

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3096

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:756

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:388

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3600

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2992

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2560

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1872

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4776

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1680

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3436

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3880

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1232

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4568

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1788

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3396

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:736

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2064

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:460

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2784

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4900
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5648
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
386711d0e638d29fd841c609f3a265ef

SHA1
57cc357673d914311e2bcf2cfb8a0bab4377ef9f

SHA256
3825f1603820346b281be0a96c95194290724797b99c264cafcf8f95d5e70630

SHA512
954f34c323deae930bdbe8c410cffbb2014004eab6735aa414052c66124de537e1511dc0f57267acb861919b3f57e3a7d225c507764803e491afbcd09056553f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
4cdcce24a904813f95d18b7d826783df

SHA1
50771ed6d094f699a3f53c7f8338cf6534596a9f

SHA256
d56bf9269a1502fa41ff4054c6c1399a62ab8f6360daa3e577bd98e40cfd516c

SHA512
679f5a781fa5fd78067d0e5e426898457431b9b44597d16823f8d1a76bfec8078f711da7f04608fc41d47163f08ab4226f85f337b7a348a5468c9294e8bd40f4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
92e5c67c76c21377957d36dc8ad2beae

SHA1
b720565e0ca28f2d51e902e196f5399049e70470

SHA256
09a2db41fd468dc799dc2fad6eb773c92102e839726a04a2c4a20956426d8f59

SHA512
930c2d8c0d5109cde94715806367ccec680cf7bd54aa6452514e3432752686851cc2ae8ba4e6e8bcc3404c1152816b57c07408cfb129c473e34376226b6ecf2b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
2e056dac79c0c357a6fb456767da4f12

SHA1
9a6d34c138aaad89ec687792e0d7ca349e38bbde

SHA256
b60e26a6f8c5e1e9516c6bf8c29c1573c0271b572ee7c74ec667a5d4962789ca

SHA512
c61c4dc99b8d7ba40c10f441707afcba40a856bd50dfc60db1ea330bf17cdc1947276974ea1ee4bcb5840852419b096f74dd308bbc2261ff9a8c60fcda6e61f2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
1a941900eac9227e1e62fef55618b22f

SHA1
13c579ef6bcad00885164e2b56fc886d21753b8d

SHA256
6db62f1e255da7fcb843e4619432e705e5706b77ef9762eeeccb465971774e8f

SHA512
06fb6574f49b3ec720fa714160709a9ee856e53a041894a1feca9f93e0a8d884cefe6f971e4fcdb8592aabc582a3302a7ebaa6921641059676427078b569d8ca

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\c5ba13b6-530e-48bb-a4dd-01fbeed772ca.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
0cd429098412849541cb95afaf497de7

SHA1
34fcdc8c1708981ab8e69a9ccc50ab898d7f7df3

SHA256
d987cb1f82d1cfa20deebd5947b3ce1b9ae9ca25cb7df736727c507a3a17700a

SHA512
955809ff9150048d9b739222dfe4c1cc7b4f330cab2858b74ba1b8af8514f1d97268812c0ef81a3d926c9928fab845515a0fbd834a8dd1d0db39359001ce5f03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
0099a977dc2892ecb8bd3c955c36fad9

SHA1
cdb485e51083306d2fd7564a39b92448a179822e

SHA256
cd06cccd6eaa01faa79673869985a34d66c660797804a40cf0ea41774ebfdb18

SHA512
c1d6d720153a6166e8dee873f54f250bbe94e16f608f2f1a4df4384fd248bce96c2e4106683526cdf3c8240d9c20ac2c1136c023a176c973a2b1865906ae15b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
b8594fd957474bdf08aa70299785720d

SHA1
3fadd3ba4f0db55265f4010292ad099391777b25

SHA256
e58432195dc4ca067b227c8727058425dd9f86570de10233d46cd6391be56612

SHA512
857d2f374fecd5a6fdc405cb55a3987488de69c7931c7a1e0fb8307bd35cfe5550b13246a8d10884be6b83fb0c591a1cf8c7a9ca67565db01d690bdeea0f08bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
06c6feb11ee630cbb96308cc94491835

SHA1
2da1163e3ed0e1f0a1d14fe34727fef469acbec3

SHA256
5316ec70b8445a1136d79ec7fe3b89061eff8548cd3e28599171c59d70661273

SHA512
2c4e4cecd996a467569998cf3b4e29e414d43046bff2d794a6dde7430bbb20ece42baa62f727e27a00cfa5538cc8c2da003d6936b7e5be583d8a65057b2e32b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe579366.TMP

Filesize
2KB

MD5
411ac782e18a3f8947b5bbdc13773829

SHA1
d9a709bb6b79ade9df4024e8fb6e36190070bc21

SHA256
0217b1195d87db614149675e331d00b581206641c58f6c7cd8cadb92e718f8cb

SHA512
03cff6f4f72f375b34a35df614de1c0837ec423b3b232e5b863a2d85ccb2f2bc025d1954ae0ba9d117930a84e7fd1b44bc82b488e5acd58370c36e9c24717d5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
8eeb12d8921d9945348ec97dfe06ac64

SHA1
b4fc177455f5d5ac168e087a9e9d84d1fad56229

SHA256
c929bb55f30e758b8faff1e68503197a046ea8c5ab51f4e71446c64b1bc8702d

SHA512
fe4e9aa09adf0ce7fc18cee9f05930699e8bf18cbfc117adc640aab6ffca1b4873b887d3ee8eb75d401253267685cbe83f626afc0da5244170932f45e90a5eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
ca68260711ac851fb3636bd49d7515f7

SHA1
4ad9c80ac0fad879ef68d185f49162ed8c8e3056

SHA256
23c8310118d78d8c65a9b5e47f28b2c4bc786f1b678e1fb87d0f7b8b462dacbf

SHA512
11e7532ce757ff2b12d0a27fec8deaebea7259117ff18b41004fe15de3bd11d278f9b108424ae316bbb80263039db9d826647168a6bdedff6d0449624c0d00e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
fee8f9f34eece76886e557837d818ead

SHA1
7e47ce3c8b87abe49966b317e1a0982be74ed286

SHA256
1754d3ec64883e9c527095b26fb696089042cb689e79a7bd46f9e9a0c6ebeaee

SHA512
eb7340eed536463480919cb3c556b06b089c00e891f2285d71529557a3621d6db2bf3a7f5c77d1d19c042fea146fad898fb795928372218fb4ac317fb9718d67

Download Submit
C:\Users\Admin\AppData\Roaming\75e4bdff1ed82f9f.bin

Filesize
12KB

MD5
e10f3264b721054231509c0daadd3e19

SHA1
d0e8998c5e975aaa65fa08391ee8ab04b782b89f

SHA256
7bd5b59ef97e67939b248afb53558a6c73f67e33d62b7c26dcaeb8a7ae48d09d

SHA512
ebd2ab8bdc7f3ec27387409d5320374d8b29e8776aa6e8e2cd7d58cdcdb935663bfc9d815b0deee80caf3422554f1f8a34ebb079b1206a38618fa999f69430c8

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
b7128057f39eecd4bbbd289fc438ab57

SHA1
6109eaffc7295ce07dc5ef474ca8d78e45586339

SHA256
34fc9fcf3987c5ec62e71c6c976a8ab9cb3e080707856378b781e82bc3d84eab

SHA512
52cc1008dbe9cccc74e468fae51efa793efd7bfcd56e3e42cb3da01c1d04f772b5394a7800559ffe6564d3dd716d5869a1ebbd9c822b6b6dd88e1af4bf8bc07a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
88b22a412beb43769ab922741eacdbe4

SHA1
51f798c9cba839b34b2f2e3f38ae2d223514085d

SHA256
42fe7909dbeca271edac91c035536328130d1f2b62dea2415a95033f98d40d08

SHA512
56b281d1c78b22f6ed32b5e96210c6cd26e8dbe13f89f6648f745a540ed4f576c473e1084d8eff21b335be6e5d246943a99dc499c06bdb7dc6933ff0ae0913c8

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
6d99a78548eae26f30da365704292815

SHA1
568e40865ae0ed10a354bd71ce46586a539bc01f

SHA256
c6fa6c742a1b8ff3e0d0976a21ed07af2f8579cffaba12df26cc0ea32d5dda3c

SHA512
c72f8132c85b232ee224b5191ca469063b296f2ef9730f37d743b7f96b100ee7335bfb6ea2b787145147133f4a0fd5dadcd72245d7ca31d5ce86f8be7f3c1003

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b8480f7ba8d0fb5ce9f0f823979706ab

SHA1
7cc65a995b8dce69ad457ab4e6c1dd78b073b91e

SHA256
17c5d7ce0aeca0aa09b57f8398cea465fd4966b702e6da18de7aa62a8da1ed6e

SHA512
850d0b094f0d23e93311aee7ae147cc25e23270078ee5e6d9c18100567b122ed109abb271ffb0cbac42c72d729f2b29d9a2e652d2cb8ca9c028fea0ab483b75a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
88205d2b90c020a88defdf6429ada626

SHA1
38a81991567f217503a91b90124ada5737bc9a3b

SHA256
9a85678f308f4179718d37bc7fa76b0fa6d10e5f835d96f98f25195434cc43b1

SHA512
292dbf9b56e5a005e7d85a4544c8f14dc69a1fda18eb84242f13ef507d082de5b79475d7409192b9be839888961b114c4285a4a9c8c44c31644963a02619698a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
b3b708465edf87e5c98ebbd6f6595e62

SHA1
8aa1adbb7372875169620e522ee644e51122a1cf

SHA256
7eea6a8b8cb0493b51ab8f3d65d2931a29c8c704d7b711f33e0d840456bb63cb

SHA512
a6930c0c337298829951014754fc2b646a692906ce7e20380eda74a11e2b43e19cd6527c484a8bd31451fbd07256fd5d4fcb8ca31639affb6283f9b049f22f7b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
6445cf8f7ce251c7a0b560f6d8b135c8

SHA1
d19677d82e540368ed69091345bc653c0670dc01

SHA256
8bacdd99a3af5654d0c21df6c72235fce6df8b22c504caa4b902ae98966c91de

SHA512
a88ea1e68a5c0fe34c30416fc78c6ce7b98d5ea296a6797f64000779ed4bbbc0cdbbc25415343589957625931e74e9e4c300c3bab81e57713ea0531010254f81

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
4314e29da39a5e91f4072f6a4d623b00

SHA1
ffc784ac7edae030c5a3c13233fafa8883175a6a

SHA256
09a8dc8bab0b283c036ef5bb9582082b241c1230cefad47c6ac4376abe97bd4e

SHA512
c8b52bddd1906b54584db5b94eed1898362bdfbcd0aca50eec839edced72d8e18c9dd31480e1311006244db433bcac339b1bb815e655f8a5831857e3719af3a8

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
809c500eb9796179a529c0132b0ad2e0

SHA1
2f4f878cadd74ba8c3f88a52d83031097b448bfb

SHA256
3423b24d195534860def1743ee1c11e8fea9d4ec38cb3a9266582f6a70fc480d

SHA512
31361b494c081c5bceee368f638aecd1d7e68b860478cf4d205e6d33fc539495021cf0503592af251181e13c2065c639ba6ff018bef24d11d20e93d3b6560725

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e1863981f96b97c1e334728e3165a161

SHA1
94a4e32f9390de5cc70f2e9f5bcfcd6c38af4133

SHA256
2ac8611195176d293414277a56aa4b9afecde82f3e5918cabe79207415af6c60

SHA512
a5eddea306fa86a143227801739a5a1e80bc262b00060fb7c58c3309410b117d100af73ea622719a3e9288b2d6a8138c3a213f932197a9eb9d94b90a4ab44eb4

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
85baae75920076c9021d28c63e0353a2

SHA1
4ace5a9b38cf92b1a1beeef3c0dc0143e9b943e3

SHA256
60ffe58f83b79faa59f0a2fedb530fdb63334672e0913238e5be378ad29295b6

SHA512
850b5b23616795f4ce47d6e60e714938714de3d9a38e2641be224a9c84667e2246a4a078bb54ce84f39f2f26abe45b6ee315daa7c5a9d79836c2190233dde2a4

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
82e5220e303c6cbb30b1e62d1adb6206

SHA1
c2997a1480800a2504b867ca61a7df5cbd65384d

SHA256
612822eed2c431b09057b253a9f4a3a2dd6451ae9aca3c76e4967e3eb5d755a0

SHA512
bbc639e8abdaa641a42067472baa947539534f072924a9fbe8a8a880acbfff1def12beb9d6eeee38bfcdb93f302216c6350d1d1a25e458cb5cbfa4bcd935fdfd

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
a671335adfe0ec2fdb8fbd9a652cbb96

SHA1
f84d41d8a9a97f0a474a3cb4b4736381dbcde34c

SHA256
6a977a663d0607c6045d315ce87f2f38ee991d3e109932893f6c3884ae294894

SHA512
b7174196c949dc9a11077422c1e51109b50ce63625de6602f035a459c88fbd36aaeee206d1020be9993d8c7b48d31253b1c634fb81b79c730a757093996a22bc

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
ea5f0ebe65c94d51fa65afae0062eaff

SHA1
fa4c6b2cf7ce3de070b679986a30db3e8ff2cd90

SHA256
d5e32a83dc10d2aeccc4821b1c2cf8f4942134b21c0f758ba306bcbcb6f9db8e

SHA512
66b08806560c5c41f9461f177d522322174b4ade921ba61fe7bbf22470a386b69133a74d0c246c74d133f43cbb23cde0ec75f8f0f839e1fe94d8c501bad8cd81

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
d2aee1b19e43b9e024c5f1344a8a70a0

SHA1
a0a36fa85c6cc213c2cb0bb5f295459586661008

SHA256
0e3eee1ec63b0f1be6c65ab29d960b14c12d4dc576d1a5921da517e306babf1b

SHA512
f90843431e9c2d109217ba11076f68de130badc19b003a844993bccf716df31f833aa8ac5ed6633cbf99cd7f073e3e95baf8eab75cd7c7d6dc38e4150537d86b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a113eae5727788cfa39e809639c76211

SHA1
1d3a2ce85e10c02875906b12d804f24f75ac4bb1

SHA256
b4122f5d963f2f849de2d52893ab8d2dfbb2edaa1651e13133aeb440a38e3e64

SHA512
492d1517ee731884045e8ad5d6385add7dcab7bf958e582e0cdac18d9d9abe2bec0aef66f226be24b8c0013b61506656dec7b2bcffd6522cd5b5dc2348fc06fe

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
46667d12d0a114a8f343cd848aabc12b

SHA1
849373a152e01992420b7f9e0b2adb464e512e62

SHA256
ab587cde867eb4fa978f15748cdfde4bd57996987487ab2f92abc0d39a1875f7

SHA512
e3235b409e10f73faf603ab8d86027500708fec8d3ece3b33f30523a9b0385cb7cb22a7986b77db2d7af5788697c78f518e720c63f0db9fab9ed80bec7d0a6da

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5ecd4ba19c7b36b314f2dd1ba47b03f0

SHA1
9aa1f3d6c52907eb1bd77ecbd4e6747af8d7198d

SHA256
502ab06b2fd9f81060112549cc79910a220c3c6a8e7c2fad40426faf2ef8f0da

SHA512
c554e33ce13326a1d9e1a9b4187015b67b9a4d35d758eff62dfc456916600735d7521efe7ce9dc061e0a0fbe9bf882749f603769178923e7ecd7deb31518fb4c

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
4d858969f9b63ec4e90b337affb40980

SHA1
c5f517b47ddc66cf8fe32495fe14e425f905c252

SHA256
d228412aca7296096c2db6c01dfe1e83ca0db6a7fc2512468473c94bbc3e50f9

SHA512
df058b39862395921f86ab56ac87eec0ed1adb201b988f3bae0fb037e14a1c33d842b7fac2354f0daabe15cf41c5b6757ed9971dc8237e7a5e9377314c6b972f

Download Submit
memory/388-79-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/388-62-0x0000000000980000-0x00000000009E0000-memory.dmp

Filesize
384KB

Download
memory/388-56-0x0000000000980000-0x00000000009E0000-memory.dmp

Filesize
384KB

Download
memory/388-77-0x0000000000980000-0x00000000009E0000-memory.dmp

Filesize
384KB

Download
memory/388-65-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/392-0-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/392-10-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/392-25-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/392-24-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/392-6-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/460-349-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/736-341-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/908-39-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/908-27-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/908-38-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/908-614-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1232-333-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1232-596-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1296-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1296-17-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1296-541-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1296-11-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1680-324-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1788-337-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1872-321-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2064-347-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2376-348-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2560-103-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2560-91-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2784-621-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2784-350-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2992-87-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2992-81-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2992-320-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2992-620-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3012-221-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3096-51-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3096-615-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3096-52-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3096-46-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3436-326-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3504-557-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3504-579-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3600-454-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3600-76-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3600-67-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3600-73-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3816-339-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3880-331-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4568-336-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4776-322-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4900-622-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4900-351-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5388-571-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5388-704-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5996-532-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5996-590-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6120-703-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6120-543-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download