2705757b9eaa628761067e83777fb37280a056d0154d7493dba808c52588d432

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
Size

5.5MB
MD5

672b3b4274277b9c7ae66e8eb7ad2458
SHA1

1da642b9621b602770e7aa63f303f70480848398
SHA256

2705757b9eaa628761067e83777fb37280a056d0154d7493dba808c52588d432
SHA512

7d71d5cfe21ffd1d5b1eb069c413d23e594e645a40c00b001fb96725ad39dada1921cd3353b42aefcd689c64158d953d1ff0e66fd0ce9185548f8988a4b58f00
SSDEEP

49152:IEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGf4:GAI5pAdVJn9tbnR1VgBVmyqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2348	alg.exe
408	DiagnosticsHub.StandardCollector.Service.exe
516	fxssvc.exe
4448	elevation_service.exe
1008	elevation_service.exe
2600	maintenanceservice.exe
1960	msdtc.exe
3592	OSE.EXE
1592	PerceptionSimulationService.exe
1520	perfhost.exe
1864	locator.exe
3192	SensorDataService.exe
3156	snmptrap.exe
3860	spectrum.exe
3380	ssh-agent.exe
5004	TieringEngineService.exe
2408	AgentService.exe
3168	vds.exe
516	vssvc.exe
1232	wbengine.exe
3988	WmiApSrv.exe
2640	SearchIndexer.exe
3764	chrmstp.exe
2928	chrmstp.exe
5336	chrmstp.exe
3464	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\87d5b89b4ba38143.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e8fbccfcffc2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000092e48ff6ffc2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000843e2dfcffc2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b8f01efcffc2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000078b504fcffc2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000504e5ffcffc2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000012f1fffbffc2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2304	chrome.exe
2304	chrome.exe
2196	chrome.exe
2196	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4004	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
Token: SeTakeOwnershipPrivilege	2296	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
Token: SeAuditPrivilege	516	fxssvc.exe
Token: SeRestorePrivilege	5004	TieringEngineService.exe
Token: SeManageVolumePrivilege	5004	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2408	AgentService.exe
Token: SeBackupPrivilege	516	vssvc.exe
Token: SeRestorePrivilege	516	vssvc.exe
Token: SeAuditPrivilege	516	vssvc.exe
Token: SeBackupPrivilege	1232	wbengine.exe
Token: SeRestorePrivilege	1232	wbengine.exe
Token: SeSecurityPrivilege	1232	wbengine.exe
Token: 33	2640	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2640	SearchIndexer.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe
Token: SeShutdownPrivilege	2304	chrome.exe
Token: SeCreatePagefilePrivilege	2304	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2304	chrome.exe
2304	chrome.exe
2304	chrome.exe
5336	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4004 wrote to memory of 2296	4004	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe	85
PID 4004 wrote to memory of 2296	4004	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe	85
PID 4004 wrote to memory of 2304	4004	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe	86
PID 4004 wrote to memory of 2304	4004	2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe	86
PID 2304 wrote to memory of 4592	2304	chrome.exe	88
PID 2304 wrote to memory of 4592	2304	chrome.exe	88
PID 2640 wrote to memory of 5464	2640	SearchIndexer.exe	115
PID 2640 wrote to memory of 5464	2640	SearchIndexer.exe	115
PID 2640 wrote to memory of 5488	2640	SearchIndexer.exe	116
PID 2640 wrote to memory of 5488	2640	SearchIndexer.exe	116
PID 2304 wrote to memory of 2976	2304	chrome.exe	114
PID 2304 wrote to memory of 2976	2304	chrome.exe	114
PID 2304 wrote to memory of 2976	2304	chrome.exe	114
PID 2304 wrote to memory of 2976	2304	chrome.exe	114
PID 2304 wrote to memory of 2976	2304	chrome.exe	114
PID 2304 wrote to memory of 2976	2304	chrome.exe	114
PID 2304 wrote to memory of 2976	2304	chrome.exe	114
PID 2304 wrote to memory of 2976	2304	chrome.exe	114
PID 2304 wrote to memory of 2976	2304	chrome.exe	114
PID 2304 wrote to memory of 2976	2304	chrome.exe	114
PID 2304 wrote to memory of 2976	2304	chrome.exe	114
PID 2304 wrote to memory of 2976	2304	chrome.exe	114
PID 2304 wrote to memory of 2976	2304	chrome.exe	114
PID 2304 wrote to memory of 2976	2304	chrome.exe	114
PID 2304 wrote to memory of 2976	2304	chrome.exe	114
PID 2304 wrote to memory of 2976	2304	chrome.exe	114
PID 2304 wrote to memory of 2976	2304	chrome.exe	114
PID 2304 wrote to memory of 2976	2304	chrome.exe	114
PID 2304 wrote to memory of 2976	2304	chrome.exe	114
PID 2304 wrote to memory of 2976	2304	chrome.exe	114
PID 2304 wrote to memory of 2976	2304	chrome.exe	114
PID 2304 wrote to memory of 2976	2304	chrome.exe	114
PID 2304 wrote to memory of 2976	2304	chrome.exe	114
PID 2304 wrote to memory of 2976	2304	chrome.exe	114
PID 2304 wrote to memory of 2976	2304	chrome.exe	114
PID 2304 wrote to memory of 2976	2304	chrome.exe	114
PID 2304 wrote to memory of 2976	2304	chrome.exe	114
PID 2304 wrote to memory of 2976	2304	chrome.exe	114
PID 2304 wrote to memory of 2976	2304	chrome.exe	114
PID 2304 wrote to memory of 2976	2304	chrome.exe	114
PID 2304 wrote to memory of 2976	2304	chrome.exe	114
PID 2304 wrote to memory of 5532	2304	chrome.exe	117
PID 2304 wrote to memory of 5532	2304	chrome.exe	117
PID 2304 wrote to memory of 5588	2304	chrome.exe	118
PID 2304 wrote to memory of 5588	2304	chrome.exe	118
PID 2304 wrote to memory of 5588	2304	chrome.exe	118
PID 2304 wrote to memory of 5588	2304	chrome.exe	118
PID 2304 wrote to memory of 5588	2304	chrome.exe	118
PID 2304 wrote to memory of 5588	2304	chrome.exe	118
PID 2304 wrote to memory of 5588	2304	chrome.exe	118
PID 2304 wrote to memory of 5588	2304	chrome.exe	118
PID 2304 wrote to memory of 5588	2304	chrome.exe	118
PID 2304 wrote to memory of 5588	2304	chrome.exe	118
PID 2304 wrote to memory of 5588	2304	chrome.exe	118
PID 2304 wrote to memory of 5588	2304	chrome.exe	118
PID 2304 wrote to memory of 5588	2304	chrome.exe	118
PID 2304 wrote to memory of 5588	2304	chrome.exe	118
PID 2304 wrote to memory of 5588	2304	chrome.exe	118
PID 2304 wrote to memory of 5588	2304	chrome.exe	118
PID 2304 wrote to memory of 5588	2304	chrome.exe	118
PID 2304 wrote to memory of 5588	2304	chrome.exe	118
PID 2304 wrote to memory of 5588	2304	chrome.exe	118
PID 2304 wrote to memory of 5588	2304	chrome.exe	118
PID 2304 wrote to memory of 5588	2304	chrome.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Users\Admin\AppData\Local\Temp\2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-20_672b3b4274277b9c7ae66e8eb7ad2458_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffce46ab58,0x7fffce46ab68,0x7fffce46ab78
    3⤵
    PID:4592
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1912,i,6495035417677936375,7459316933025118789,131072 /prefetch:2
    3⤵
    PID:2976
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1912,i,6495035417677936375,7459316933025118789,131072 /prefetch:8
    3⤵
    PID:5532
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2064 --field-trial-handle=1912,i,6495035417677936375,7459316933025118789,131072 /prefetch:8
    3⤵
    PID:5588
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2936 --field-trial-handle=1912,i,6495035417677936375,7459316933025118789,131072 /prefetch:1
    3⤵
    PID:5624
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2948 --field-trial-handle=1912,i,6495035417677936375,7459316933025118789,131072 /prefetch:1
    3⤵
    PID:5664
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3616 --field-trial-handle=1912,i,6495035417677936375,7459316933025118789,131072 /prefetch:1
    3⤵
    PID:5984
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4496 --field-trial-handle=1912,i,6495035417677936375,7459316933025118789,131072 /prefetch:8
    3⤵
    PID:6092
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4628 --field-trial-handle=1912,i,6495035417677936375,7459316933025118789,131072 /prefetch:8
    3⤵
    PID:6104
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4136 --field-trial-handle=1912,i,6495035417677936375,7459316933025118789,131072 /prefetch:8
    3⤵
    PID:5012
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 --field-trial-handle=1912,i,6495035417677936375,7459316933025118789,131072 /prefetch:8
    3⤵
    PID:2616
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:3764
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x294,0x298,0x29c,0x270,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:2928
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5336
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:3464
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4300 --field-trial-handle=1912,i,6495035417677936375,7459316933025118789,131072 /prefetch:8
    3⤵
    PID:1348
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1012 --field-trial-handle=1912,i,6495035417677936375,7459316933025118789,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2196

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2348

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4984

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:516

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4448

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1008

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2600

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1960

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3592

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1592

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1520

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1864

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3192

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3156

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3860

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4340

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3168

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:516

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1232

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3988

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5464
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5488

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:6092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
6ecb3674dfb62d52adf3f24b54c66108

SHA1
e5c2a0e2e5f045376df3cd69fdd81fc015bb1396

SHA256
af34684b8ef41cee490866e70879b77fcfee7c1f0cd677090fbfb2ab6731532d

SHA512
151381c10584e9ad9f87c69d5c28c069cfd32da6a71e00c2c41cf50828efdf493c19a721553d7838cc45091f8c015db8572de993fc1502c055e1a8ac0d6ac620

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
dabb0674770412b31c6632726ee25ed4

SHA1
fc7902a7c728c858e79fadb133ceb744aeff21c9

SHA256
7efdec388cb48dedefa2fd0de3ec64b29406fc48f8b39681cd3e8ceff649e0fc

SHA512
f3031fcd923c60e1a56ddc553c2bd1dd43a279b34cd85d04f98110c4fce4a8a51e4e371f114b513c8fcf40bd2f9974e4822040a7793c217de85de247634ef48c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
f0465e6773b1c5a7277de8e006b23c19

SHA1
8468021b560b4de5de864bd518d4c3b284d7e423

SHA256
7da678df775d62c6874a4f6aace3fd4c1716fcf08d8bbf789d094f8b4fd76a6c

SHA512
5c5ec4f75c2808ca9185cd38c01eba97c8b78cb01da2391e6ab2e7bb90e4424f99dfe34124a23f05f80df0189b93fded4409ad26e8264382bd21e62a9f190bf5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
63d8bf71f259a495a99645352578a77f

SHA1
f6812e694314996153b09ad0ae9c579371d7bb00

SHA256
410aa61af193c9a5035adfdb3d836a84b7d5b59885bd953ac0d883b446bc4dbf

SHA512
cc6c18ab528e3112db6ab49414d17aabcc7892bbf800c0c49533840b7ede87ef340ef240f14704d59bf69dbfa14c44a4419feb31b19b4da1aaa6400b098f8563

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
660454e2b21e988ac9cca358e7a4353a

SHA1
c8df3ebf2449398debc736872fd5683720912b17

SHA256
ac88aac5e86e3fa29f1368b268497ca04253d7b07ab2fd2c737297ee00fd52fd

SHA512
a7ddc831e2df907607c15c24582a04e7eed97f36e20b07ba9b09fe68e4d8ba4c36e5fcc1b7b0997cf027976d644059383857d0291cb5801068145ba93fc8d650

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\898c6c40-9f72-401a-9fbc-c8b8c5a5c09d.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
efdf336c3d3a1adb92b2ad84b9e0ddf8

SHA1
d12684bf46d8efdc7fe65d72974a64f8cfc83aae

SHA256
a3b64fe67ea4be6fd1cad4f43ab347f08f3c05afd11552101ddc5f80fd3e31cc

SHA512
d47956132f95e0f8c31b0d8e8b23a7748b4fd39b6acf746e65600499bb6dac8bf3ba64843a090e41066de86eadd02aeb9c1ebd3ab9cdee4bd9d7867febbb696e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
698b8c4f325e8fd42fd5078aa06149db

SHA1
7af28b75647b5190b80eccac91904c0ef568cad5

SHA256
e846f7b893913097b152a19e4a51be26a20ef90c5a5c7fb7bcaa444927000c27

SHA512
c0748299c8f8ebac14f50fa862f7758b4b32c9e73754e2d3909c8fd87ebd6f4f9ce6c3f32fbaf933ca689249ca1e2faa32b224a6b72049308f0aa8aebfd13251

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
28cbe20dc651c3820ce08797e93e0373

SHA1
1ddbcca2addd3b3d238cb90f6d8030a57a04a20c

SHA256
aec523f228d96a0872501fc7009ea54f7ec7aad5aac095222c903a917c07b6d1

SHA512
8993d0af0ba9b2a33e0cdf264319dc0cdc077717a8d6f74bd0aee07e13b82176acc3298461d1d3bea4bf01b4aca8be8bbd636724d8bdf274b27f413ab35a5af7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
10b84be9251fe789d2ab5664e68b1b42

SHA1
c42f4a74f164e3f22c0b956fc464df2bdc92b3d2

SHA256
0314c3abf8b62085d38edde3cfa504a5b6b3098e772f80af6aa4371942330068

SHA512
10b499d1926cf0ed71886bbe99b26a67737e6121477154b8937ad4d28b7e13c78e4187a83f942196d73cf7a963fc7acf748fbdeec75e09041b5bd1daba274117

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe578fad.TMP

Filesize
2KB

MD5
e51001326fdb734e7394cf6934f68920

SHA1
74a5c58398f50ab8cb348ab623ab2eabaf5479a7

SHA256
6df4e90ac1fb8ee68b75eb0f6b8a930a9e812999a273e10c5e5bbe176c435292

SHA512
dabd3ca58ec0bb351def0960f104150364f950ec29c33e090afbe542865bad9e08d2a19113b426f512970df237adc0ad5d188ac9c8fb42b17616630d3578d877

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
adda7e7e8044f5f73293fdb36eb6ae95

SHA1
d4f421def4af556988f83da13b04f463fcea3490

SHA256
0da8f35958866541c552dbb169ff0434ee5fe03b65787df658008f2e388d5c65

SHA512
5607292ac2cf4d13f4f8bdc12c2c4496c828a84d56970a6aa5d10c6d08d7254571fdb3295b4998e485483c85e3f65751f610dc158b1c2d9d9b579a2ab3271338

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
278KB

MD5
34cea69f3c7f86340a1336afb0d0f902

SHA1
ca55be19de2b41d21910389047a3795734f3f955

SHA256
9718a250f67e964e124d9ceee5df459b1aec81bd09e6f39b8c03dc7ee55d3763

SHA512
9c5a0c867eab5df4bdfe95271e512ed91c2c7181715bd9a978cb76c0127b71ff0b648b4660828d5433c00ca5e1f18ddf019da566e7b995eb7e915a77e906d09d

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
e420d1e29a3aad6f8be059b53b8710de

SHA1
8e20dfddab63f7774455499172b2e764c627a85b

SHA256
5dd8fa35320244db35e04ec8d286b5f3b3df51e77931895469d722ac4ce112bc

SHA512
e9b790828f4fcf598adc1d3a5695adc2efdcc53553b5c82f89d8ca32198080d77a56dd21e0d308fcf9e0dfc83acd6d505e8390a0cc4d021d32f0adc876c921c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
4fc207faa0c782e883262471530d246a

SHA1
60f600da884be3e782dd5b445b1307cf68b4c48a

SHA256
bb754320dd171f92ae139fd908dff09750c17f8a20da4426d1a8954391f8a313

SHA512
34032616191a3d2728ca2b61dc37272bf7ee41e22bd4966bee7bc32a2bada704e7893aa5fc6ef38078b544fda5e9e357cee65a2d6b15c8fcf7795e7abf794d35

Download Submit
C:\Users\Admin\AppData\Roaming\87d5b89b4ba38143.bin

Filesize
12KB

MD5
09dd95354cfeea9212410e8870622083

SHA1
9e956b5da7efeaa2627641ee68117a32513d3c62

SHA256
e178a88e116c345b9c9aac6fb8228749990d66b65d3b58a315434f8c5c96e95d

SHA512
ffa4e2c06513e9245fd4fd4de1c726fb200a7c26a86698825ef2d1ff8ffacaeb1454244808204cdb179024595d8308b9bb5d34796a5b80d76851bcbaf8d3fb9e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
c5424487268e3c05a861bef5c416a987

SHA1
3d1f4c9f7aa473ce8c89fbf97c343a8ea221aac4

SHA256
68fef08020f568a7bd9b4e4bada92ee4cdfef90629b7fc8217e0e8dbdb840bf8

SHA512
eb62739f12e7f810acf9f9bc40a08a2e90b90aaf798675be0a54aba8ecc693f37b9189183e1e9ed6c66f56f73ceda05f5a80b770de6ab346a6558fd42afdc700

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
93a9e6ed1a2c305b45f4fc6f4cf564d1

SHA1
8dacba74f380d43984e9ff72540b3ac1d98a93b7

SHA256
479ae8a26a10cd6f01b151d4ea3e2de22b29a207f27885aac96c554e733a9caf

SHA512
0d87eaefd676cfa6d452a40b55a92bb0c0ee91787816e5855948a7d7f6fc05f56c905ffd3f5b79f6f6b57a235e492527f1329d134c2a873fc010aaebec0fa1cc

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
e8e76afddd8a44c07060a96159f2bac4

SHA1
1a6fddbc613e1457cd0096bc66bb8f3688778a11

SHA256
e9dccae5fb32a3a168957f02eda53f3471151e8ac596d288e5d31cf71790f053

SHA512
8df2a6ef9a665f3bd85931aafa7b0489460e00b5ed14994d839c9c3f059ad617808b840d55a66fb42bf8a3845728b9e5bf54d383550fd61f73fccf7f1171e777

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2d03670de29d98ed9f793c7ecdd617c8

SHA1
0f7ad63522062d3deb51d3ea357ff58c22f298e5

SHA256
a94dc04515910b7d682f94fd83f5225f2f5f74bc44b6c6b2f4822a05a4a129ba

SHA512
0196c46f8d73c808d14bddf82ee2e5beb174f943499ca66fa7894c470d9714bbb4095fa29502d1b063c44e492fdc777e85f8f61413b92358bfda2f0036ce12af

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
0476fb2f3f568f9b77188303fa8ff599

SHA1
2ee5df9e3121a3746cf2db112c33a802ce20a537

SHA256
fd5c1aeacc3e232266d48846ca2ebcb4281bc596de536116a7a4d696f4474b40

SHA512
66c6cb6df19e1b6e30387485ca0afa17ea5036a96d5aeef99736a34212ed7a6bd20d1654361c5e0d2125c4e051d861cfa38dd4f585d8c47a99a1f32159fd59ee

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
2eea38e4a2184f4058c46d45c691f3fd

SHA1
8dc0763d6b6e079ec51b24bde7b231574257d351

SHA256
40bcd8f581e086d90223390e529ccbea6e5d66039bc02f4f35c1f4fb24f9ec34

SHA512
af13917eca8938ce50aace3ff2803afca41aecb2f2bdf159cf669ffed8cf6bfe6a44d2ad7b262a571d5b48db877687ea236c91bc17240e14612b3527b0c8111f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
7ad2709109c1d6501d2d02fd6a208bb1

SHA1
0a5714576133f616d89be513832b7ac68bf5b56e

SHA256
173fcff2f4334fc7afa31f43cd8f43580d0553ea9b5472c99af5470ed363b028

SHA512
819b85811ae312e4070b35810c89eed47295024fe90ff1bffd481923b7546f4882ca1a360a843f028bc6979bed94214cf43ab4351090ea10c5832ccc45c298fc

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
fa44b20a62e10e4f1320a8a7d581fb13

SHA1
415ec88e0dae40ef7b21e3659eea476226b4b49f

SHA256
bbaf1580cb2261966b48fabb99cf2004e2592da208738b42d7c4453ed911abc0

SHA512
d3e8797aed0ab4555000cfbd0ce20fd509b9ab7452f10510daafba1283187dd2dbaeafb16f09fb9f73a3c168b7f5544d0b61b4f0c0692b4f37b902025e7466e1

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ce909d21ea9be933a6516c20283140d9

SHA1
4deb872a51810de79f07f6c9ad08b94af56ca0b5

SHA256
fa1169accbb2a080d138fb202dc9a8b814fc8a4e59fe27857697a72227beec2f

SHA512
ac95c79c0e3cd5efe915d46c3cb9367bc50fc790075e10e9bec1df415a7ea249a066411721c4e6677a4cea9f33a17336ad6723b64b178e3f22f88ce64ee22d55

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
cf92c48c6125424cd7498805c50d7d22

SHA1
0d0ee7b05fdd011ae929bb261d1f4c73a6577a66

SHA256
95bbe66842cbabd87fab5a53623bdc9e2e4c63c224e89a9f16c46d0240e273aa

SHA512
e4eb0f8fd9f70796f026878786337519eabd27fedf297c4d62624cad7eebe4b248638c0d0363979ed78843b280587cc7fc7b2df4f90fc5ebd39c49ed8eb7424e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
29b2d76efdfb04f012dca75671625533

SHA1
110709dde4eef9ab2d1d5f6454d9c6b28513e30b

SHA256
607c4a88061c9b25c618c1855597110a44e15facdeaa19cd3a57e84a0ad7a689

SHA512
f1d3141361a6cdbc74ddb7368c2ed6691de5264a08694a1ddefb1d73059a9dbfd5e115ee6555961227f3fc696d0af15caedbd33d5e863b1adecabe865b3122c1

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
fc77f4ecfd2f980b81222e8acefd9444

SHA1
7acbc5ad0aa0133bc93f96b1165b327761349abc

SHA256
5bc7b6031b97b8947dc8dfcbe9858f83302b746de66f2488ce6caa9132d7e377

SHA512
c4ad1ffb04d841df47a2a971b71b4d3c55cf4f436f4832e892a907e74f96ad20276514543576f2d2b97d0eac0996bf0be62c75c65bd8d8e8fec57f84d2e76a06

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
5e12e8a3042e6f56e539e7dd2b59edd0

SHA1
e553c03022c08166fd8fcb53e4b1422bbfe96e91

SHA256
bc5ba8ef021233a1cf0928b4051b6eb080d4501e16d704394600805bbc07d2dd

SHA512
6af579ffcf78e9820ba390f3977ccc21ca7a35c77fbd6ab6143bdd5d9885ed9866576cd533da1238669cbda0394623823bbdfc1b6cd425238fccbe453dbe7d1c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
8e52dd97e9fc7ddcb8fb975388d9b573

SHA1
6019ccc6d52cb5d39feff3ce9e5aabb1c8630e21

SHA256
04ab611ccee8e970ada8c964449dad40c349053f532f08a1f1befb95dd230973

SHA512
de5bbd0dc8f06723970fcb4fc537a7bdb2359f990de4b6e4ac703f7ab65aa4d9234c331aeb282de90f0a4849743320ebdae594cd2f330db88180fe062c9f4030

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
2dcccdf8056c35f5a007315e998d8e2b

SHA1
d7f15f685ccf3bb8e46d701d8cdedd05de21fbf8

SHA256
36e5edf1964227a1f2c9038ac931b42fa5ab19ca46df8fd108df2bece84dba7f

SHA512
6f20cb224f6501be9b09d2d29efa42ac42b6827fbfb254ddce0d3de9bd5d7810eeaf2b8ad2ee350d560c1810c3d683c1fec739275376aacd79da21511f7c37d7

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
250fb69ee2994d27cfc7bd49c244c164

SHA1
b84d8b8556d00ed76ed44de17fc59e7e3b15611a

SHA256
24ac795c99f9273b359352a983a900cef8afe52a8b2c8a26968b8cff8c00901f

SHA512
dee4cfcc2eef363f57d66183b9ca918bcd72e6b3d293a18675f6707c672ecb0833842cba8162afdcd8a2f8c20f0bc560d41906463128fe424ec502d1b479bcdd

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
f7b07ca360ab031c6dc9dc5071a7e382

SHA1
8d7f6b7983fb8b8ce2ef5e4a3dcc67090451994f

SHA256
5207ae3ed263ec2bf667346d20d8eec6bfea1b14b3b7f9dda7b7e240b60b4017

SHA512
42363067a7356c8e7e0dc6bcc8e077690c8aa1278778bf2094d07568c3876933008eb255cdd71b38c39f5d7bff736552e983b3f801f5ac52e1fde67ac7dc7e37

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
35b40f4d65985eace030e0098f488175

SHA1
65dd56a47c419401ac0c34b89523a9e3098b75f8

SHA256
3639b159eb6403fdbd22835e81a72ab83fafe31598940c96aad72a2041e8c611

SHA512
ab5b4898dcfdc47ae484692d8d80b1c807833e300f178631f11a8b39b0a6d93d2320c07d9235232d2374be6f62b98c6daee023c4e644cec9526e7dbea1a3b8a9

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
260b0e3a53746be1616919a463e54706

SHA1
b9072f17d21fda3f40461b4914c6db71da4eba8a

SHA256
fb43de18f8770ea8ba236b039f9921a267775967cea473b62e288161988a1309

SHA512
3963fe59b81b64a12fe5890d0dbc1154c574995dff77133c4a4477d76bf4f6fb6556f4cded428381936ad94494f94e3374413d500b2cf115740d80080fedf434

Download Submit
memory/408-54-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/408-52-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/408-53-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/408-46-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/408-631-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/516-329-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/516-67-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/516-105-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/516-58-0x0000000000950000-0x00000000009B0000-memory.dmp

Filesize
384KB

Download
memory/516-64-0x0000000000950000-0x00000000009B0000-memory.dmp

Filesize
384KB

Download
memory/1008-86-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1008-738-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1008-318-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1008-80-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1232-330-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1520-321-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1592-320-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1864-322-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1960-317-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2296-20-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2296-543-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2296-12-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2296-11-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2348-625-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2348-23-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2348-34-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2348-35-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2408-223-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2600-90-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/2600-102-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2640-740-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2640-332-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2928-741-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2928-544-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3156-324-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3168-328-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3192-588-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3192-323-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3380-326-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3464-580-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3464-743-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3592-319-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3764-531-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3764-604-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3860-325-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3988-331-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/3988-739-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4004-6-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4004-38-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4004-31-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4004-0-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4004-10-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4448-75-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4448-463-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4448-69-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4448-77-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5004-327-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5336-569-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5336-593-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download