7db8a01e83c16c5323fed287cdb30d2fec9b313db905f93a951a82a73560eabe

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
Size

5.5MB
MD5

0d6caa0092ad29ef2f4fafbfd2f4aa62
SHA1

a543e9b44236219edd646596bcf281d4a02d67dc
SHA256

7db8a01e83c16c5323fed287cdb30d2fec9b313db905f93a951a82a73560eabe
SHA512

0f663eee6fa3ae479d1249a18549b672c5b93557a5e9923c22b14d7aa6913f603078b05a2e00936be99accead9c8b6f79353c4a5511675a4bcebe901262cc134
SSDEEP

49152:nEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfI:zAI5pAdVJn9tbnR1VgBVmOqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
3324	alg.exe
2896	DiagnosticsHub.StandardCollector.Service.exe
4116	fxssvc.exe
3824	elevation_service.exe
1364	elevation_service.exe
4944	maintenanceservice.exe
4240	msdtc.exe
2764	OSE.EXE
4264	PerceptionSimulationService.exe
4588	perfhost.exe
2352	locator.exe
3128	SensorDataService.exe
3652	snmptrap.exe
3936	spectrum.exe
2184	ssh-agent.exe
4552	TieringEngineService.exe
3180	AgentService.exe
1160	vds.exe
4260	vssvc.exe
1036	wbengine.exe
4820	WmiApSrv.exe
1784	SearchIndexer.exe
5892	chrmstp.exe
6108	chrmstp.exe
5220	chrmstp.exe
5428	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\da7ad72f4ba38143.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_108875\javaws.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d8cacf3c18c3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd66ec3c18c3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd1aeb3e18c3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a1e8e3e18c3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000052eb9d3f18c3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e9eff53c18c3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4424	chrome.exe
4424	chrome.exe
5480	chrome.exe
5480	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4424	chrome.exe
4424	chrome.exe
4424	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3676	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
Token: SeTakeOwnershipPrivilege	2940	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
Token: SeAuditPrivilege	4116	fxssvc.exe
Token: SeRestorePrivilege	4552	TieringEngineService.exe
Token: SeManageVolumePrivilege	4552	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3180	AgentService.exe
Token: SeBackupPrivilege	4260	vssvc.exe
Token: SeRestorePrivilege	4260	vssvc.exe
Token: SeAuditPrivilege	4260	vssvc.exe
Token: SeBackupPrivilege	1036	wbengine.exe
Token: SeRestorePrivilege	1036	wbengine.exe
Token: SeSecurityPrivilege	1036	wbengine.exe
Token: 33	1784	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1784	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1784	SearchIndexer.exe
Token: SeShutdownPrivilege	4424	chrome.exe
Token: SeCreatePagefilePrivilege	4424	chrome.exe
Token: SeShutdownPrivilege	4424	chrome.exe
Token: SeCreatePagefilePrivilege	4424	chrome.exe
Token: SeShutdownPrivilege	4424	chrome.exe
Token: SeCreatePagefilePrivilege	4424	chrome.exe
Token: SeShutdownPrivilege	4424	chrome.exe
Token: SeCreatePagefilePrivilege	4424	chrome.exe
Token: SeShutdownPrivilege	4424	chrome.exe
Token: SeCreatePagefilePrivilege	4424	chrome.exe
Token: SeShutdownPrivilege	4424	chrome.exe
Token: SeCreatePagefilePrivilege	4424	chrome.exe
Token: SeShutdownPrivilege	4424	chrome.exe
Token: SeCreatePagefilePrivilege	4424	chrome.exe
Token: SeShutdownPrivilege	4424	chrome.exe
Token: SeCreatePagefilePrivilege	4424	chrome.exe
Token: SeShutdownPrivilege	4424	chrome.exe
Token: SeCreatePagefilePrivilege	4424	chrome.exe
Token: SeShutdownPrivilege	4424	chrome.exe
Token: SeCreatePagefilePrivilege	4424	chrome.exe
Token: SeShutdownPrivilege	4424	chrome.exe
Token: SeCreatePagefilePrivilege	4424	chrome.exe
Token: SeShutdownPrivilege	4424	chrome.exe
Token: SeCreatePagefilePrivilege	4424	chrome.exe
Token: SeShutdownPrivilege	4424	chrome.exe
Token: SeCreatePagefilePrivilege	4424	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4424	chrome.exe
4424	chrome.exe
4424	chrome.exe
5220	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3676 wrote to memory of 2940	3676	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe	83
PID 3676 wrote to memory of 2940	3676	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe	83
PID 3676 wrote to memory of 4424	3676	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe	84
PID 3676 wrote to memory of 4424	3676	2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe	84
PID 4424 wrote to memory of 3636	4424	chrome.exe	85
PID 4424 wrote to memory of 3636	4424	chrome.exe	85
PID 4424 wrote to memory of 3756	4424	chrome.exe	112
PID 4424 wrote to memory of 3756	4424	chrome.exe	112
PID 4424 wrote to memory of 3756	4424	chrome.exe	112
PID 4424 wrote to memory of 3756	4424	chrome.exe	112
PID 4424 wrote to memory of 3756	4424	chrome.exe	112
PID 4424 wrote to memory of 3756	4424	chrome.exe	112
PID 4424 wrote to memory of 3756	4424	chrome.exe	112
PID 4424 wrote to memory of 3756	4424	chrome.exe	112
PID 4424 wrote to memory of 3756	4424	chrome.exe	112
PID 4424 wrote to memory of 3756	4424	chrome.exe	112
PID 4424 wrote to memory of 3756	4424	chrome.exe	112
PID 4424 wrote to memory of 3756	4424	chrome.exe	112
PID 4424 wrote to memory of 3756	4424	chrome.exe	112
PID 4424 wrote to memory of 3756	4424	chrome.exe	112
PID 4424 wrote to memory of 3756	4424	chrome.exe	112
PID 4424 wrote to memory of 3756	4424	chrome.exe	112
PID 4424 wrote to memory of 3756	4424	chrome.exe	112
PID 4424 wrote to memory of 3756	4424	chrome.exe	112
PID 4424 wrote to memory of 3756	4424	chrome.exe	112
PID 4424 wrote to memory of 3756	4424	chrome.exe	112
PID 4424 wrote to memory of 3756	4424	chrome.exe	112
PID 4424 wrote to memory of 3756	4424	chrome.exe	112
PID 4424 wrote to memory of 3756	4424	chrome.exe	112
PID 4424 wrote to memory of 3756	4424	chrome.exe	112
PID 4424 wrote to memory of 3756	4424	chrome.exe	112
PID 4424 wrote to memory of 3756	4424	chrome.exe	112
PID 4424 wrote to memory of 3756	4424	chrome.exe	112
PID 4424 wrote to memory of 3756	4424	chrome.exe	112
PID 4424 wrote to memory of 3756	4424	chrome.exe	112
PID 4424 wrote to memory of 3756	4424	chrome.exe	112
PID 4424 wrote to memory of 3756	4424	chrome.exe	112
PID 4424 wrote to memory of 2948	4424	chrome.exe	113
PID 4424 wrote to memory of 2948	4424	chrome.exe	113
PID 4424 wrote to memory of 1984	4424	chrome.exe	114
PID 4424 wrote to memory of 1984	4424	chrome.exe	114
PID 4424 wrote to memory of 1984	4424	chrome.exe	114
PID 4424 wrote to memory of 1984	4424	chrome.exe	114
PID 4424 wrote to memory of 1984	4424	chrome.exe	114
PID 4424 wrote to memory of 1984	4424	chrome.exe	114
PID 4424 wrote to memory of 1984	4424	chrome.exe	114
PID 4424 wrote to memory of 1984	4424	chrome.exe	114
PID 4424 wrote to memory of 1984	4424	chrome.exe	114
PID 4424 wrote to memory of 1984	4424	chrome.exe	114
PID 4424 wrote to memory of 1984	4424	chrome.exe	114
PID 4424 wrote to memory of 1984	4424	chrome.exe	114
PID 4424 wrote to memory of 1984	4424	chrome.exe	114
PID 4424 wrote to memory of 1984	4424	chrome.exe	114
PID 4424 wrote to memory of 1984	4424	chrome.exe	114
PID 4424 wrote to memory of 1984	4424	chrome.exe	114
PID 4424 wrote to memory of 1984	4424	chrome.exe	114
PID 4424 wrote to memory of 1984	4424	chrome.exe	114
PID 4424 wrote to memory of 1984	4424	chrome.exe	114
PID 4424 wrote to memory of 1984	4424	chrome.exe	114
PID 4424 wrote to memory of 1984	4424	chrome.exe	114
PID 4424 wrote to memory of 1984	4424	chrome.exe	114
PID 4424 wrote to memory of 1984	4424	chrome.exe	114
PID 4424 wrote to memory of 1984	4424	chrome.exe	114
PID 4424 wrote to memory of 1984	4424	chrome.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Users\Admin\AppData\Local\Temp\2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-20_0d6caa0092ad29ef2f4fafbfd2f4aa62_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4424
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa06dfab58,0x7ffa06dfab68,0x7ffa06dfab78
    3⤵
    PID:3636
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1912,i,13919736952532149141,8955472139767712097,131072 /prefetch:2
    3⤵
    PID:3756
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1912,i,13919736952532149141,8955472139767712097,131072 /prefetch:8
    3⤵
    PID:2948
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2064 --field-trial-handle=1912,i,13919736952532149141,8955472139767712097,131072 /prefetch:8
    3⤵
    PID:1984
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=1912,i,13919736952532149141,8955472139767712097,131072 /prefetch:1
    3⤵
    PID:3632
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3036 --field-trial-handle=1912,i,13919736952532149141,8955472139767712097,131072 /prefetch:1
    3⤵
    PID:2952
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4292 --field-trial-handle=1912,i,13919736952532149141,8955472139767712097,131072 /prefetch:1
    3⤵
    PID:5212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3948 --field-trial-handle=1912,i,13919736952532149141,8955472139767712097,131072 /prefetch:8
    3⤵
    PID:5308
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4632 --field-trial-handle=1912,i,13919736952532149141,8955472139767712097,131072 /prefetch:8
    3⤵
    PID:5384
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4836 --field-trial-handle=1912,i,13919736952532149141,8955472139767712097,131072 /prefetch:8
    3⤵
    PID:5664
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 --field-trial-handle=1912,i,13919736952532149141,8955472139767712097,131072 /prefetch:8
    3⤵
    PID:5876
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5892
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:6108
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5220
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5428
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 --field-trial-handle=1912,i,13919736952532149141,8955472139767712097,131072 /prefetch:8
    3⤵
    PID:6020
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2280 --field-trial-handle=1912,i,13919736952532149141,8955472139767712097,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5480

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3324

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2896

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4936

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3824

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1364

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4944

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4240

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2764

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4264

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4588

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2352

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3128

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3652

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3936

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2224

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4552

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3180

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1160

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4260

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4820

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1784
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5616
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
6b13a712e6e082d9819aa0fcbe49a570

SHA1
4cdd873f8bbb0f11e39f95a48b91ede2f8014562

SHA256
dd211af550e8c0ef283eb2379da1ce428292431290c7557ec0e2431faffb2db3

SHA512
59d46b80834517bfa76c8c485c347aef2ffc1ac9ab6226604c089f50b01922464973fe602e2acb8230da05314431534ac30e7fef3a339bd9b316b0cd0e60270e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
65efd4df97980247f67cc72ef19378c4

SHA1
4449ea905627d22722175dbfeafeb363e6f4339a

SHA256
234089b2b2dcc173ae69df55319ec5250828aa16d305a2eb971bd1c41a894674

SHA512
4882f053bc8ff6ff82718b7ce9145108b7577f2c34a43e05252041ce2ce26268643eb4b2e7517ba92dfcacd2aff9cdacda80df2c7bf11093ac28cb873f570e39

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
dae89cc30128c463de753a13d8c7e765

SHA1
75afd7f05f4b44fbb469f2ef1ca9a838ee8e2240

SHA256
2fd7b53b9674a3a9769c17b25bd5f3e8d031febacb6e1b66b46dc35eac518f62

SHA512
d2a798d2b019300589f7d289bdbf664714def3bc88d3d91e45fce970d6b8dc3ce7e9ae101dee5e2e49a74554f18541d333478d2db0a9dcd8f05a4f4b52575a9d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
a467a2a0fa779383b2667bf5edb9003b

SHA1
5a7cf1ac96dd42eab302d70a0520e9bb086938f4

SHA256
3127897a1d345790c55212d8a6ec5b6841077d21d34acaf26142a1c3bb0fb5d4

SHA512
deaa82399ec13513dae5e242408e15dc2cd28210ad072b9085a818e78c1afff663584ca35edba37ce9032140ad629253bccbd7641dca8d234115cfa93922c0a5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
140cbcfce7e4bd33d8d8ab0fcd469564

SHA1
f47ae949b2ab45a979f95528192acbbf33ea2841

SHA256
44910322a44f5bd387f4acedafcd368b3c808fa914b3e67040d487f599fd3ee3

SHA512
9e956fe5013896b261b6b2de966ee2e0dd0b4ce7de7883a212b9b7ffb6a978f05e3e7feff3a14efa0799e229c3354efdaf781defe25fa3a494588ae4035f000d

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\d4d9f4db-7505-4069-a0c6-3d5fd1ed5ae6.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
efdf336c3d3a1adb92b2ad84b9e0ddf8

SHA1
d12684bf46d8efdc7fe65d72974a64f8cfc83aae

SHA256
a3b64fe67ea4be6fd1cad4f43ab347f08f3c05afd11552101ddc5f80fd3e31cc

SHA512
d47956132f95e0f8c31b0d8e8b23a7748b4fd39b6acf746e65600499bb6dac8bf3ba64843a090e41066de86eadd02aeb9c1ebd3ab9cdee4bd9d7867febbb696e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
fce148fb3cfd77d0dab3eee3f8d2525f

SHA1
dce338009e4f17418b81c1c338c03771738d4087

SHA256
a6e501c7846f57945ef15b7dce1b448a0368df66793eda135c130de9211a0c03

SHA512
4b132db85503a61a57641d9607b4be7598b2a56a0b718262d91a6b7b2b4d5f888736f0684faeeb4f0bad5f95f79e0161c4bf8510c0c95a9ab9394831a5ce2e4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
2077eec832d76a72ec0f5b598dc71915

SHA1
5d4f120fd591c7b5f23a566dee87e38c395d7ac1

SHA256
17c5a6f0f371abf4ff36946aca63ee9da2a88980edbdf04e2caeccd3861b3766

SHA512
41a2f1ebdb2ff512839e02bc8aaff6d8b20769fd669d52451cf23f8cabfd40456cf0b738db292b9f950581970f5d090e8029986f4e725dfbdcfa354f29c78f76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f720b02361034b3734399fa66c174d2f

SHA1
736a87f115f2e75692447477065373d038bcea07

SHA256
13ef137f7c3932818a0538aef8c6336e46c1b39596cbd76a372d4d016f725f2d

SHA512
00ec589b55e923daafb7bd742759e3fc72a453b8e45f287c07e305314f0ea6c0c581ef4bff1fb57450a98a5685381d92a86dda4617aabd7baff70400f02a979f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5786c4.TMP

Filesize
2KB

MD5
e51001326fdb734e7394cf6934f68920

SHA1
74a5c58398f50ab8cb348ab623ab2eabaf5479a7

SHA256
6df4e90ac1fb8ee68b75eb0f6b8a930a9e812999a273e10c5e5bbe176c435292

SHA512
dabd3ca58ec0bb351def0960f104150364f950ec29c33e090afbe542865bad9e08d2a19113b426f512970df237adc0ad5d188ac9c8fb42b17616630d3578d877

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
832d96f307137ffdfe1b0c36ae1a1a0a

SHA1
c8ed7101e2d0572d8fe63eea93db9a8ed448740f

SHA256
01e2ec1719dfb8b1998c9a552bc2e7b76e0e8d03fafb85ab014cac580db926cf

SHA512
aae11746e82fc09a5771b38d3e351fa03af28e1c7f627223893bd02ffd4aa0964f8a0ad14ce1ef7f3c8e26b4c89fd96e1b124cd716800cc2e682df9920fb90b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
278KB

MD5
83cecca23b9926fcd548fbe5c820a792

SHA1
800b8ffc01665caf91746eb4f63eba16a8454eff

SHA256
ef9a74f41030c598a8046ed2415cecc236c7cda8b006c3df138d9ffe0c8aaa68

SHA512
0c69eeca4348ce0d4e1bf5bfe6f13c3467af2c0f13d0fd7c1bf411b221cfb8f069215448b09bfa1f8e947d888b23dd951597d0528b8526302da0a195c2ead1bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
437147f86f236d6299e5b7e371609901

SHA1
d9e10aea6f183042b977ea2de10edb9b97f92b84

SHA256
a347b2aeb688ad9e8f9c0735cb3ff1cd22f00197e55d2b825fcdfb3d024672d0

SHA512
c9cbcc6474d5975d60953548699d0a293dc4e6db89f56bfb25ffcc9bd2d9f0f73c9af25585d026ca692a8fbeb317408b824acba45b454ac5a1ae4a34b4106473

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
e9bde140f0d1e9f9e4a05629b2dbca77

SHA1
2c2adf249a9de61aec4559a9b47d5d8254987cf6

SHA256
d3bc79b216af518e72766a465fa5337edc41ea3e35389882e32078509c6724e3

SHA512
40555146f05ed3e051b012f87620c88633763b773c94f25e3c46538dcd67622b00859f6e62c9569d72065a14d106202a4f183c7bc27e8256239823e1496bc37b

Download Submit
C:\Users\Admin\AppData\Roaming\da7ad72f4ba38143.bin

Filesize
12KB

MD5
fa1bf2a40082592ede2903197d87a9be

SHA1
d6e88ab909a44b41e33bd2bc616014492246b21d

SHA256
f97b069e9b1ed5b205c93d99319ad602f629a37ab670f78af98b2f81ba3d703c

SHA512
b89623ad6a19f06dc1e53ee5f6d03f24c81609202c2825803010ebe58f5fcbda98746598a43ced86401f7ebea471ff951d401ee663cd7200dc32086394ff7006

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
048bd4a2e862343e0a1b93dfb3def2f2

SHA1
65aed251d1137127deb6af945f51dfaeb15517c8

SHA256
62873f379b2b81095ae0f7809d588efcdadad9ce821cb7367c701c35ab91eed9

SHA512
f1217a18b38fd18f16609f85c5c5b11b95c67cd07482ea810e5e5e01ed0c29c8f1627dff3b3978f430732e0cfbfa34cf1e1af7d9adbc0eebeb2529dd08a01272

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
01cd7acafc7b62bfb10b609c9a64bf5c

SHA1
23a6f69c346c02670be19c3243936a646269330c

SHA256
8387c2b2ff96ba45582fe0b829e9d7be5a4fd1a9bc49526ad47ddc006e866eb3

SHA512
29a1fc74b006aab9398e0ff9f7cc285caca7021c74aab736e73d557d023965daa8573d4236511b25a4ca1129dd3062708b542b86415da049fa29a0c6a5bd756e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
3f84cee1f015699af781507bcc6800cc

SHA1
2ad00ecb7ab5fd3b137297dc76bdd67fcd063b39

SHA256
3a8f7b5e9c7a069b030d13849584ff6342f8d0f9dd3e7514e13a4b5ed1b86067

SHA512
5022e75229bbf11de069bd12b66400bbef7fd40851b8a5fa7da869beb44a68d87c948c3417c291aad5904da7e7560d01466326eb923fedda696a0e209ae7e618

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f3a7efe76311a05debbc7a84cfc7e717

SHA1
8ac51fa18a7f702bf2d7812a05fb241ba3a18d71

SHA256
5dbda738797f0094d3531daefddcdd7189797600e2ede05ade0cf549770ab3aa

SHA512
2778635da1917edf20fbdbf0745f3cc77a57ba167307643a40a53d60d328604af76a574704ebbba7925ca74109be56f521f32736f8166fa82ca53c393197bddd

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
524bc2367634bed5d69079969adc83b5

SHA1
dcae1f0b46b3fd827e1d2fc5ac22651eda4f4cc0

SHA256
b0b3e4fa283001f961fb273f381073f249fdbd191d1bec0f8de6a78424e269b1

SHA512
959fd734df8c19273d357b7e38ecafbe57c18c7ba73c4066f936c00b49718fe9479a257189f28591f063515e66bbda506eabcfbbeb3ce018cc3b3f60a3bea99f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
978724766e5ada2a2cc9405339f50a27

SHA1
44dd1037dee3250e7abd348e90fdabd76d0cdf8a

SHA256
32102ebb3c2e0a765a68ff664dfd57ff5b39330248895f06878e1bbef3eec8fa

SHA512
7c74aaff6ddfe44ec913b8c25799c4d6921df2b13fa68d73abd974753da7970f8f44bdcc4d8dda7da30a3c54c53e10a5acffd6c8986fa2165efe948e313cb327

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
0029c34499576bde9c2dc70f0f346294

SHA1
c81d5914e77156af798cdf0e038398b2372bb29d

SHA256
325a9e7d1237f56936f20d5d43bc08915f777d0708e31b67a8545093fe406066

SHA512
fd301538f7dbd689b1a721eed865c80809e1f02d545b9d429459c44c91590406579d9f39297ddd669c8b3d71efddcd079bc3f47f5d8a8c3c13c7eb461744c430

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
09469f3fa64c30ac41d615a672c45dd3

SHA1
c0581ac375b7ac04fd77140e6d588c620b57cc6c

SHA256
af1473b649569c939388b162f0c973eb0021bdc92485e0d6d33ce9088d0f4134

SHA512
e3696a9debe55ac97688ba6fc179bd1282a7b02a5016bb2051a1aa7bc5a9b459b1dd3df1b8b190c1c19eba8bacd1f1ad49c0627146d98ee41d4ff2408cfa201e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
4c9d292311ece0dbe1fd9fb4fbdf284d

SHA1
d77a5b8db2fe3ffe08e95769af9b2901a53460b3

SHA256
f4953e9d1140137a40790db232b9cbda6b2f1e310a33443a76cc850e459a62fb

SHA512
70cc978e2cf6bd357be0425e2dd4d15c606b4c4874cbf0cf9eaca796dbcdd98c42b270d3c7ea8ab11a373089226908eef76f51bf6b359cc91c52836314357519

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d879fbd54389a2bcf7502609c59ead95

SHA1
80b6a03cc709693aa4d81d3be4e69b6e741b21e8

SHA256
8dfc4be14d94a58964c0f93a0ae5e722802399a955378518323594560ec53e73

SHA512
ecac2de6f4f6415509a0b7de9dc1d8dd95999c0bd899b7f00b504559b4ad2b875da57d32ad7f9467a002ffc263c2d7a91d9d85b9e344edc280136fd3c2182c2e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
356afca2a6ec55f59bb57a096d05fbf0

SHA1
16be0cd0df848d9965bf9de71aa0bf50cd9dfac8

SHA256
60e18ae0ab13aa3aae7640e5b8930a44f6293503234929ec1ecfe3b92dbf7b7a

SHA512
a4f860d752653969f8b827a3ed8f8313ae76cc624df852a94325a7f72c9b59b393cbfeec8560381bad5627a25a008b10c22b0e2ff9a0f2f3a0ac28cffcaeca04

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9fcf4d4f032787c3e66f8b1561af0031

SHA1
e02f318cc4b1a9d6334041de7324a294f70fc482

SHA256
c83bd607b3c1c32ca021cb2113215ef15fe4c22536e27428d28b102b4fcad4fd

SHA512
d6bc00629b86551f710c36f4f2651783adcb02d1664a020cff0ed61b68ecf24a0c23dc8ccc61088819402a12db83c03724c23ad4b7e00437e842c211c037d38b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
ad9d69cfafa9c09315f2538722903d7a

SHA1
dc0ef3a021430ccd62fdf7c94293a5c42b95132a

SHA256
79cb5a6c5133bfd11952abe3f525646cef7a486c23cc703d6cef4196c6fba361

SHA512
3f648f2e545f46ce5c1a83b86690bf9212031361d60eae3f29fe99010b07ccd8bb7c76830fbd06ace1f81d5866d8aa1be887995011852b8a2e25b5d1f9445a17

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
3b2a5e36de532c5a1d4838c6df64100a

SHA1
fe985da517a7216df2be2e57bb4322b11a3172ac

SHA256
ef7c853daafc6009e9d6708a43aef11e3abc159a71b4556f0ee6bbecc6089543

SHA512
78d56c659004a2f5424e1142f289171e60614d5881b3815406211f8286f5c482932faa5345710f71b214802f49cced58266c8b960cd58edff3258c298fca366a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
553eca8732addffb529074057c17c0b9

SHA1
767e0075f0babbe46a4cb2ea447176532235a7dd

SHA256
000ecb929f7cef1d13ee641fa035b83887b5e0e24881bf07f09b61816738ba7d

SHA512
7f332c2a8e0ee7605536316f70bf55dc4978c41417a3db560a42fa10335028360738d30082683815b7f18336eae17f60c8f6e97632af80dbb8804fd962719ed0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
bc63f350b518c738e0986de05c99a356

SHA1
ba7f529f780bdd8289ecbfa5100851b908812adf

SHA256
606302605a5573d5bc396df80c25dd67879616aa26b9d1a411e57711560e4744

SHA512
3c73fa8463070dac7a5db57f3a82aa6b0ddea84d0f9cf56037c485dc56d32bbe16d176550ba365279e41f329169b63a45f3361e167a966fcb1d49d7e6251c3fb

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
1a67fb8193d50241c8d2e6bbc6020a3d

SHA1
f97d633cadc59da25be0d6d15806ea08ac237d18

SHA256
991f7ce4c0e1852dfb69adace9d532b6d3cd8ea518263718eb4257d5c6c076d2

SHA512
cf596d47bf99594b84d2a242c6b89a0c85310328af6c969e4fd2c7496fee66e5cb6862859e05bc4f8a632a1eccb8c115a2e6af78acfb44eb976317e5d72cb609

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f00d56bb14f352c66a326dc214425679

SHA1
2eee940c3f8c5bf5b3c18baeac048eed94fc9a6a

SHA256
c00a70fbadb5ef12853618b8c9e51e763301293594463f26a9b6d4cf3c44dcfc

SHA512
0fa5729cb5bbbb0c2040405eb68d7071f7b9ad27ce8132adf4e04ce889d95c6aeeb5238cc841d3bb948f3e6ca219fcac5fea25684ec213b9ec669b7f6571257c

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
260b0e3a53746be1616919a463e54706

SHA1
b9072f17d21fda3f40461b4914c6db71da4eba8a

SHA256
fb43de18f8770ea8ba236b039f9921a267775967cea473b62e288161988a1309

SHA512
3963fe59b81b64a12fe5890d0dbc1154c574995dff77133c4a4477d76bf4f6fb6556f4cded428381936ad94494f94e3374413d500b2cf115740d80080fedf434

Download Submit
memory/1036-348-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1160-346-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1364-74-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1364-331-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1364-80-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1364-749-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1784-751-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1784-468-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2184-344-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2352-338-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/2764-332-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2896-50-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2896-326-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2896-44-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2940-17-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2940-745-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2940-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2940-11-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3128-580-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3128-339-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3180-217-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3324-27-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3324-35-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3324-36-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3324-748-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3652-340-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3676-21-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/3676-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3676-38-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3676-0-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/3676-6-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/3824-474-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3824-64-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3824-70-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3824-328-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3936-343-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4116-60-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4116-54-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4116-83-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4116-85-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4240-327-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/4260-347-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4264-336-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4552-345-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4588-337-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4820-750-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4820-426-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4944-99-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4944-87-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/5220-593-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5220-562-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5428-566-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5428-753-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5892-604-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5892-530-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6108-551-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6108-752-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download