0bd2b6dd7a390b814eb67e16dc3e0c8ca3268020feaee1d25908b7f01002ace4

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
Size

4.6MB
MD5

0cceaea43daeacc5708be350e3eacfbc
SHA1

1c40e4054ea2658757721c9dd89d38cb7f64a069
SHA256

0bd2b6dd7a390b814eb67e16dc3e0c8ca3268020feaee1d25908b7f01002ace4
SHA512

9b4df0ae8bf2737b26d66b282f6021cebabc59b40c3ef3596c7f28e7517dfdc136fd5600c1c30cb80c8b7cd9dd487b72b2dfa6adbb6a9bd29d636ca78329dcf8
SSDEEP

49152:sndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGZ:G2D8siFIIm3Gob5iEDLZsOkg

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2188	alg.exe
1152	DiagnosticsHub.StandardCollector.Service.exe
2996	fxssvc.exe
1688	elevation_service.exe
3596	elevation_service.exe
2652	maintenanceservice.exe
4512	msdtc.exe
2136	OSE.EXE
3196	PerceptionSimulationService.exe
4056	perfhost.exe
4272	locator.exe
868	SensorDataService.exe
4516	snmptrap.exe
380	spectrum.exe
1736	ssh-agent.exe
3768	TieringEngineService.exe
2808	AgentService.exe
1972	vds.exe
2140	vssvc.exe
2396	wbengine.exe
4768	WmiApSrv.exe
3276	SearchIndexer.exe
4856	chrmstp.exe
4452	chrmstp.exe
5376	chrmstp.exe
5460	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6bd2fc3b293b476c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\java.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000899e299c11cada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d08919b11cada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000084ed379c11cada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003fc44f9c11cada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133641315893022158"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e49b69c11cada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000171c859b11cada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000adb4fe9b11cada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006eee189c11cada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000678a359c11cada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000adb4fe9b11cada01	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4376	chrome.exe
4376	chrome.exe
5632	chrome.exe
5632	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	560	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
Token: SeAuditPrivilege	2996	fxssvc.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeRestorePrivilege	3768	TieringEngineService.exe
Token: SeManageVolumePrivilege	3768	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2808	AgentService.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeBackupPrivilege	2140	vssvc.exe
Token: SeRestorePrivilege	2140	vssvc.exe
Token: SeAuditPrivilege	2140	vssvc.exe
Token: SeBackupPrivilege	2396	wbengine.exe
Token: SeRestorePrivilege	2396	wbengine.exe
Token: SeSecurityPrivilege	2396	wbengine.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: 33	3276	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3276	SearchIndexer.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeTakeOwnershipPrivilege	3276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3276	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3276	SearchIndexer.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe
Token: SeCreatePagefilePrivilege	4376	chrome.exe
Token: SeShutdownPrivilege	4376	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
5376	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 1080	560	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe	81
PID 560 wrote to memory of 1080	560	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe	81
PID 560 wrote to memory of 4376	560	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe	82
PID 560 wrote to memory of 4376	560	2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe	82
PID 4376 wrote to memory of 3912	4376	chrome.exe	83
PID 4376 wrote to memory of 3912	4376	chrome.exe	83
PID 4376 wrote to memory of 2572	4376	chrome.exe	89
PID 4376 wrote to memory of 2572	4376	chrome.exe	89
PID 4376 wrote to memory of 2572	4376	chrome.exe	89
PID 4376 wrote to memory of 2572	4376	chrome.exe	89
PID 4376 wrote to memory of 2572	4376	chrome.exe	89
PID 4376 wrote to memory of 2572	4376	chrome.exe	89
PID 4376 wrote to memory of 2572	4376	chrome.exe	89
PID 4376 wrote to memory of 2572	4376	chrome.exe	89
PID 4376 wrote to memory of 2572	4376	chrome.exe	89
PID 4376 wrote to memory of 2572	4376	chrome.exe	89
PID 4376 wrote to memory of 2572	4376	chrome.exe	89
PID 4376 wrote to memory of 2572	4376	chrome.exe	89
PID 4376 wrote to memory of 2572	4376	chrome.exe	89
PID 4376 wrote to memory of 2572	4376	chrome.exe	89
PID 4376 wrote to memory of 2572	4376	chrome.exe	89
PID 4376 wrote to memory of 2572	4376	chrome.exe	89
PID 4376 wrote to memory of 2572	4376	chrome.exe	89
PID 4376 wrote to memory of 2572	4376	chrome.exe	89
PID 4376 wrote to memory of 2572	4376	chrome.exe	89
PID 4376 wrote to memory of 2572	4376	chrome.exe	89
PID 4376 wrote to memory of 2572	4376	chrome.exe	89
PID 4376 wrote to memory of 2572	4376	chrome.exe	89
PID 4376 wrote to memory of 2572	4376	chrome.exe	89
PID 4376 wrote to memory of 2572	4376	chrome.exe	89
PID 4376 wrote to memory of 2572	4376	chrome.exe	89
PID 4376 wrote to memory of 2572	4376	chrome.exe	89
PID 4376 wrote to memory of 2572	4376	chrome.exe	89
PID 4376 wrote to memory of 2572	4376	chrome.exe	89
PID 4376 wrote to memory of 2572	4376	chrome.exe	89
PID 4376 wrote to memory of 2572	4376	chrome.exe	89
PID 4376 wrote to memory of 2572	4376	chrome.exe	89
PID 4376 wrote to memory of 2908	4376	chrome.exe	90
PID 4376 wrote to memory of 2908	4376	chrome.exe	90
PID 4376 wrote to memory of 2252	4376	chrome.exe	91
PID 4376 wrote to memory of 2252	4376	chrome.exe	91
PID 4376 wrote to memory of 2252	4376	chrome.exe	91
PID 4376 wrote to memory of 2252	4376	chrome.exe	91
PID 4376 wrote to memory of 2252	4376	chrome.exe	91
PID 4376 wrote to memory of 2252	4376	chrome.exe	91
PID 4376 wrote to memory of 2252	4376	chrome.exe	91
PID 4376 wrote to memory of 2252	4376	chrome.exe	91
PID 4376 wrote to memory of 2252	4376	chrome.exe	91
PID 4376 wrote to memory of 2252	4376	chrome.exe	91
PID 4376 wrote to memory of 2252	4376	chrome.exe	91
PID 4376 wrote to memory of 2252	4376	chrome.exe	91
PID 4376 wrote to memory of 2252	4376	chrome.exe	91
PID 4376 wrote to memory of 2252	4376	chrome.exe	91
PID 4376 wrote to memory of 2252	4376	chrome.exe	91
PID 4376 wrote to memory of 2252	4376	chrome.exe	91
PID 4376 wrote to memory of 2252	4376	chrome.exe	91
PID 4376 wrote to memory of 2252	4376	chrome.exe	91
PID 4376 wrote to memory of 2252	4376	chrome.exe	91
PID 4376 wrote to memory of 2252	4376	chrome.exe	91
PID 4376 wrote to memory of 2252	4376	chrome.exe	91
PID 4376 wrote to memory of 2252	4376	chrome.exe	91
PID 4376 wrote to memory of 2252	4376	chrome.exe	91
PID 4376 wrote to memory of 2252	4376	chrome.exe	91
PID 4376 wrote to memory of 2252	4376	chrome.exe	91

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:560
- C:\Users\Admin\AppData\Local\Temp\2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-29_0cceaea43daeacc5708be350e3eacfbc_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2c8,0x2cc,0x2d8,0x2d4,0x2dc,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:1080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9272bab58,0x7ff9272bab68,0x7ff9272bab78
    3⤵
    PID:3912
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=1896,i,15415792430873941705,3666821919088018940,131072 /prefetch:2
    3⤵
    PID:2572
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1896,i,15415792430873941705,3666821919088018940,131072 /prefetch:8
    3⤵
    PID:2908
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2196 --field-trial-handle=1896,i,15415792430873941705,3666821919088018940,131072 /prefetch:8
    3⤵
    PID:2252
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1728 --field-trial-handle=1896,i,15415792430873941705,3666821919088018940,131072 /prefetch:1
    3⤵
    PID:3420
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1896,i,15415792430873941705,3666821919088018940,131072 /prefetch:1
    3⤵
    PID:4780
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4192 --field-trial-handle=1896,i,15415792430873941705,3666821919088018940,131072 /prefetch:1
    3⤵
    PID:4308
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4440 --field-trial-handle=1896,i,15415792430873941705,3666821919088018940,131072 /prefetch:8
    3⤵
    PID:2912
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4576 --field-trial-handle=1896,i,15415792430873941705,3666821919088018940,131072 /prefetch:8
    3⤵
    PID:2856
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4456 --field-trial-handle=1896,i,15415792430873941705,3666821919088018940,131072 /prefetch:8
    3⤵
    PID:5424
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4464 --field-trial-handle=1896,i,15415792430873941705,3666821919088018940,131072 /prefetch:8
    3⤵
    PID:6004
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:4856
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:4452
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5376
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5460
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4448 --field-trial-handle=1896,i,15415792430873941705,3666821919088018940,131072 /prefetch:8
    3⤵
    PID:5652
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1896,i,15415792430873941705,3666821919088018940,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5632

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2188

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1152

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3148

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1688

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3596

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2652

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4512

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2136

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3196

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4056

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4272

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:868

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4516

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:380

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1068

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1972

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4768

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3276
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5976
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
fa135a88f164a8ddf57316f5a35485b1

SHA1
0b1687a491de57bdd03056a2eca1014d8e215b45

SHA256
123d72957200d36a1f9c09348d17ea9e34405a6d76219380e2cf665e1d7a023d

SHA512
6b109548cd115ceb1003feeb3ecf9ed07709036eb8aafbb66000f566da15f52edd8fc307ec46d533d8c5b43ba9f4c648884e8d66dea8f2c58aada75208cbc790

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
904354fb91c3bb5b20ac894b8d6cbade

SHA1
d7b99f37d3439ea9847eb786fcd35588c950f415

SHA256
b2fbe2eba5ae79c30fd903f3f0f049e7e48dba4f2f55452da32e4b023abe7646

SHA512
bb5acb71b23109d0a12338946b01854b36aaec97c6fdad826a21e55808d5570cde16b5137a3c224b2073dc5b2ee1092ee9bcba2d091e5d68b2af07bc006955de

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
2777a44950128115dc59827cfc1d3fe9

SHA1
4bf241f876a93ad265f699f93cf9c92b1695593a

SHA256
d9525b4692299965277484dd083e425834defdf8ae62a52b448a6c20f2f388f1

SHA512
2b837018e9414a021b1681f2c316468e61bb363bb6b01a65deeb7f66ba555a4277418a10ce383a2315a435c88795f1f42d6d85d9966f9d15a0a7b262528d9714

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
f08ac2da577bb3786951c0e8094fef68

SHA1
49dabf3ac57fd0a8ec63797f1935c40c3eecdba4

SHA256
840cd69d530c493a78101588dbdd05c7f52debce7084e7fe809010e7e4e6abb2

SHA512
fe3ec402109b1296901ecada5726e7713dfebb34c49ec42fff8ff57cdd409a54e1c3cf4af12a015bbcc4994ec3e1e334ff3a179d9db25c6f39a268797a1b3151

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
6ea3ceccec012807f3e867afd703722c

SHA1
5fa7bb6aaad0b6d58c49d1d5e79986f82f82658d

SHA256
081d2b1c7e5aa59c6acffa70c1aa8ae442a62bc8bd5239a69a4f4175649667a4

SHA512
5c960f8d7b5770109a22fabffec96d7ea3c54228da6a73c3925c9a44dc4a190d8d850664d26c074b702c7754f79980917611085dc6bf7594607bcd6c2c89987e

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\f9c753e3-a45b-4e19-ad4a-819388f448e0.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
23e6ef5a90e33c22bae14f76f2684f3a

SHA1
77c72b67f257c2dde499789fd62a0dc0503f3f21

SHA256
62d7beeb501a1dcd8ce49a2f96b3346f4a7823c6f5c47dac0e6dc6e486801790

SHA512
23be0240146ba8d857fc8d37d77eb722066065877d1f698f0d3e185fcdae3daf9e1b2580a1db839c1356a45b599996d5acc83fda2af36840d3a8748684df5122

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a80ee4dfdc3920c3cfab0f5830093bda

SHA1
568661849fe9ca8607b5e2aea2a4e914aaf0f832

SHA256
4aa4a858177bc7a6f84ae020a15461d8ece477aa235781d930f48f219eb3beab

SHA512
7b02d5176427714225dbd1534187667cd576f1559203610f3422d214e37e3e51c3da9f1691fdf0aae85380e3965d9ed6ebe410258dda92b0d0674f85b2bdeb30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
c7b046a56767d2bc83335f7150ff735d

SHA1
84e5aa2724d4df45ee43a145bdb87adbb8067084

SHA256
091a7ccbd0b858bf7c50d93e64ebaffdc521e86d23d25077aec5eb15a6401536

SHA512
374b18933c1f9ef968b2ffbb517afe805ac811ee4a38fbaf3ac99a4b05e1beda980a11ddb3b91d4d2fbe655d34773b8d98c64e7dadef88efcb52b03db21c7c36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
76bc17e7b12a3eac95f77591187e1a5c

SHA1
fb32558a439d025688a7b73c78ec632f73255cd8

SHA256
1907b9db7b44cab989e5395b69a6c2cedd4f4fff43f58f82238b906a16e607e4

SHA512
b022b84cf8cd16ae9ee03efb0f9134a8942309356f0f61e2032ef8411c8b6c3cb0bf05c9335dbd6e661b09cbdc40f0020966bd841576e3cfb3f762e7013bd241

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5778ca.TMP

Filesize
2KB

MD5
8441fa327ce1f6c12f371a1535e655be

SHA1
7ccca62179f1eb9a2d47c3886ad8ad4bf5b15071

SHA256
975c8308bab1dce91143c9ad18effdd216bc367fccb3195ec2d4fd50177d2158

SHA512
986088d4595dc5a9e166ecc0b439a878a24d512f236b2756e377050c0cc7423143d3aaa3033ba5163b28fe8551313ff985d6df2ab109117186e878ca4a98d0a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
72175602a4b558649215fcebd28277a0

SHA1
d2f70abe95564f472d1882ffbd542c22346f8e4c

SHA256
1671fa692bd0836a4add78486fa8e2a3dfe1b666af69d40c6ebc62887f162ae4

SHA512
89158c4b566f325b328f63ffc1f4b7e0c524e74ebef85ffea2c95b46c20f52f10287dd6a36692c5f69c542594c2770991baeffc1c7ec30b82ecb365f56abea35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
272KB

MD5
f20ed465b3199c44acfca321df9e9815

SHA1
40b19862df0f37ec7d0a07291c6c2a55c8f2c9ca

SHA256
91bd39452533092be307c18ca4173ec9bc242dd8286b7db380c09636cff7b4ee

SHA512
c2ca6e26b0e58f5c8566830bf0b72b7b9a657961166e8aab51715a40d8d892f37b9d37b38a894b385062dbb12dfca7eaa2178c49776988e856403069fcedb544

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
3b76b00c2238340aa2305e8e4aedd76a

SHA1
8ad8e6118629276bc0633c9799f2b6cd44c465e2

SHA256
99c93095458a68de13c5871817e3ee1cbde9ebc41d3384f6aad2280abc29b5d1

SHA512
30c883b826561972abbd2d9cd8c737853dde1246ca62d9542846522da945c9fb0b0e3a0d0d4dafe5341ea63237f10812f927309d50a77f00e7b32a5966e898d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
81495be971265e65595bece8ecb0e6a0

SHA1
78f8d8c088c0ce8cbb518f2a38991edd2224c1a0

SHA256
aa48fc9a8a53e8030829ee083ce7bbce0cc7d213526a75935c2e82dcdb951f08

SHA512
8c8512518e60cd6a5c5ac974dcbe78f6875d4dde7b5fd1dde703e1353eee69bb9c7e99d8bdf36522ae7e5a9094292d69576c91a6dfa77b0a469a5ca6402f358a

Download Submit
C:\Users\Admin\AppData\Roaming\6bd2fc3b293b476c.bin

Filesize
12KB

MD5
06cf918577ecfc76943bfa4dff275842

SHA1
84daad41f26d705a4e05d1b1376087b7caa2608d

SHA256
ef883d722f50b40d2b6ace7aaae593ad68036c78e1d67e55c6e22dd7f0c0b7ab

SHA512
ea892f6fc8838411bf1289cfe9f3b74ebd9716180a3d46c127248c130f38106baa7b9a456f95ea18bbc892159b575bed9c3333d9a4101981aad0785aaf71be2a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
0bfd865879ac73a90fb3b60b410e67e2

SHA1
aa4863e0bc3029061751c1993610dd15789fa058

SHA256
91f46fec0771a62bde03f2fdaeb7ca352edeb1c740519017b487c510fd8c292a

SHA512
a3728898b39bc4837decec219312aed4346d3a9956b7c9b4d06d987f2ab42f31ec968fe1c3b629171d4eebea3859074e0833bef6ffbb9c53c92fd7dbafbefc7e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
77ec11142cf662bc65342db2d20fc88c

SHA1
b259c544dce1551077db1b7b68f42ddf99b47d7b

SHA256
f7e033e0105fba6df2150e67f9e85417b6f23b36dadea334bb04c869bb421e9f

SHA512
b442cfd09e5a53811c0af30b765456968800a1f254728ae619ad4c16c41d661a3ae32db514c7a92c5bd134d50f2afaa1d970c80f77fc9e684d89734ca4ab78c5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
fd88fe34d9cbf8b04be3a776193323b3

SHA1
f33f3a158c796e27c3dab1a498988eb1071dda20

SHA256
ba9df8b56af5cfc9b1ddc8ed48bb92071af05c4277745e3d6bdfa5ad3e8796ab

SHA512
8095dbb2e2e06bc022f56e2140e1288d91e8a3de57f0d51fd9bf3fac059fdb9d82756f97dd7063ef63ed10d54e5fb481b518a46a0afdc813b9cbb2b88c07bd39

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d2a25fbcdeb1fd5ab33f37e5e21dde40

SHA1
554ba88ceb2b706c9aa5e69035a06fc319d80b20

SHA256
4f43ccf080a3a038fc9aa614118f8a0663f167b053185f067d25fd61e47bb118

SHA512
329b0f6dbea6f4fae2a80f1ba6cee4eac92e954e13fc1319aac9adc053400ec77fcadbee17aedcd9e6aa73b1ef32d5840af168332cc00e41ed76ef78fccafd58

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
7404fac84ddc35e06bd3992461656f97

SHA1
6672ecbe269744056104270e3e0a96e85386b29a

SHA256
28f698d64f05c398473cd85a4170fa431a4416d7aaf3ef73d916dc65ff1ab89e

SHA512
cd905dad7f18a4ea2cca541e166cefc09d0c6f0e4b120ca2ef557801f2e280f2befdaab4c711a6b56ccb3868f752c5b73b52046f7830e90702bd12005d12cb9f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
bb25e923e5de7c2b00d2452506f19d84

SHA1
499fb7609d0dfd863a4ee30576f761bfbf01509d

SHA256
e0d3a2d4e7d69efc0f9bce4de04efdb00e4a6e8ea651c3594751d97e949b09d4

SHA512
7ef41a702ee2c5480958c6afd268e53974a125a9ff87c8b9aea173ecff34e8b8b1350460d7aff050382b08ce17dd78118c0d299e7df318326cbddd7cdf76edbb

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
373228252d9c0f3e4aaa539f34b58532

SHA1
5088578af9023c889eeeaee99ea7873efb2a0618

SHA256
2dee74aef961b62f616f82d86624428e2decdef320a42843d5cf0a8a8252376e

SHA512
96b2c5a50dd7bb20e58b9d0e8c84555d5fc825241731996b6806cf80595dc905d06c9620d33e9837bbea9ffbaceaedc23a32f06b91c369f08accc55a1c317b1d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d99f78bce7c43958597030d68a7dcbc9

SHA1
8fb1c3146f267bfa3f8fabac086d6f7b36f3758f

SHA256
71136ee4866ddda2fa6273f79933fe8d102900761aca3e87ca7d9fa492021ff3

SHA512
bce8ffe1cf0a52548236357d72a9654f881aa3fee4ed486d75d1fddd80cfd74a7c62ace543a4cc5b769ada9eb6b107c2fbf5db65ea9b968a7c4d16baa6e053d6

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
4223644065549f229afb773f232977e8

SHA1
91fbc580ce92b4993e19074462fbb6d9477c0118

SHA256
a9a0857528c8eb30e4610ba94c2b5da5894a612df84a845cbcb5c4ddedac3619

SHA512
d00795c3b34f01522d3eb11b8ce601f00d5b8e986c6e1c252354942d9396be59ba55ada2143d199d3dac5eda44f91825632c5becb4dc2c27559af93ba6f9d3e8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
1d6c44f221924bb88e55d31d260d8e00

SHA1
f2ecdb3f66bc8f1c6b9fdb406059e02b7fb92b14

SHA256
5c31e80acaef1b1cd69e83374557ddba7a4c8488533f136839274918bd2750c5

SHA512
52cf7ed047396892f375cffb4058d477ab773557709e226b8def922d9418a37391d2576a02a02791ab322956c47a0be785d9ea16f2c7139713213b609ef87d32

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
f943c7895f9cd7f51fc43409e9f7863e

SHA1
925a245675b8f61ec1a287c4d09ff1655c05c02b

SHA256
fdbacb2c59eccaf828bf899b3731ea9ce0a15232db564e1cee8c2e31c04df80b

SHA512
ae0a5584ba693504c8eed803c7f40be3d76e8ed344f46089cb2ef3c75cea5b546a615db48621134f5407488c4239a1ade85e448d624bfe6c1b80ef7584f28d9a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
5623f6ecd98b871aa09d608c5a2892b0

SHA1
a14c969244926122cb9f3fa115db39b42b9aa752

SHA256
511829fe43e7599bcb2f07fc0236b413c068794d3b0e5779c3a66abfe69b0ef8

SHA512
d0ae1d114d4371ea4e8ccee01f7d56a123cb8bf7f926ecda59cab47d345c7fcebb283206388ac05a9e71aff4b05ccee56fd51211eef7045fad2231dc5a1e6678

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
d13e3bcfb56324662e514b6a2e5afb86

SHA1
7174074a29d43974e4c5c01c28c890f700c19644

SHA256
0067a3846f6fed850df25b0fdf404e2ccc43e39df4046ea2ac9249c5c81dda33

SHA512
3e280a20c2b8720189c186fee4a6490ec57bdacafebcabf54323be6193a96bfcc07e686dd9872f96d9dc2d9acebc48b5367e56e14db27b7b008f74bddba0982a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
115331ba38955201d798152fe5ee8088

SHA1
c9a5d70cf66c2ec80a2bd912b4d16a785ef10b86

SHA256
77b61d696cf8c1c34cf1f1b6ecd9ac43480d11e22e82d30dd468dcf97c2420f8

SHA512
3b6c99cee939d20a1007ad71dd56ae8f5eb4edde1c5e9e44c8143e267cbf9fd64b5701398353dac6b4d41c102c0a5d81862ecf55473527d7ca7c5ab8808990a1

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
50dc6d7248c73c31d4a62cf7ab6b1602

SHA1
1b5aa7ae776b75fdec5750e9a5fa57620c187bc1

SHA256
d0f781861097b920938c13812791c28fdcd228ec4246224cafb4357f54c35465

SHA512
7dfe2f463150fb878a08afcfb9b93107a048bea68b4a96b3dda7832e5c76aaa78c873d7165ee2e5941c9e5f0e24725e2cbdc5d92750944d028f30d20b4c42f94

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
484d2088b2fc67edc7de1ba03d49bb6b

SHA1
4e343e41b9a16c71e8ac3ce5a002c859a52663ce

SHA256
6d79d4c091eff37092e3a0ea8e3c1308b620e06e3061ff159b5d247eb56ac1f6

SHA512
5194c90dc71f1dc4ee52ecf6618a09b906007295172fcee0b1602db68bb0e3c29d56b7a68139e9392f5d1b08faeaa19aa1e2852dad8b0a73a503112b9c1e7ca4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
049e8fb389661b862c843bc34f1d0c9c

SHA1
d01149d022dc99111c33adae4fcd1c334a359fa6

SHA256
df67fc51740c661e02750c53364bf43a662e0de9bfdaec5dbe18c29db71f1ed0

SHA512
41df614d7fae6d6f30c487d958106178ba8c74975c3f865c0a90693c4f76138050993ceaa11d6a891b352105d92ab6d6dbf597e6868fd46986fa323c0dd9a2e3

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
fe563a87f193ce02596fc1a8e924a1c7

SHA1
c53bd7dbe65f811ccabbd679e2772f50949edccd

SHA256
30171342163add4437a8c6d7e6910e6e407edd77e36fee13a5fc43e706948b4d

SHA512
1e77daf1b907bbb30ff22ce0dcd13465f42d9b1e596a39c0d48ea222c0e88e9ff3e5c8e71f7bf4d59c2425c2a4033be65d0193ee5f0bb645e5820b719123e1e3

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
440112092893b01f78caecd30d754c2c

SHA1
f91512acaa9b371b541b1d6cd789dff5f6501dd3

SHA256
fdf37f8111f0fabb5be766202a1a0b5a294818c4c448af0fec9003242123e3e6

SHA512
194c7b90414a57eb8f5ba0fc504e585ab26b2830ed0aae29cf126d5a6c4888d508c22984aeedec651c8644fb1f874fa558b2090488516b33165fe7985d2815ea

Download Submit
\??\pipe\crashpad_4376_GGMUTALBLCPXSLHB

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/380-186-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/560-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/560-1-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/560-26-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/560-7-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/868-184-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/868-535-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1080-20-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1080-18-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/1080-11-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/1080-145-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/1152-34-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1152-43-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1152-42-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1688-52-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1688-106-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1688-59-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1688-53-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1688-108-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1736-187-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1972-562-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1972-190-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2136-112-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2136-120-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2136-118-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2140-208-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2188-148-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2188-30-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2396-209-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2652-95-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/2652-89-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/2652-101-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/2652-103-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2652-97-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2808-183-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2996-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2996-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3196-135-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3196-123-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3276-564-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3276-245-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3596-78-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3596-84-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3596-87-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3596-407-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3768-188-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4056-146-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4272-552-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4272-149-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4452-425-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4452-565-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4512-105-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4512-434-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4516-185-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4768-210-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4768-563-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4856-412-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4856-489-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5376-444-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5376-474-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5460-449-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5460-568-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download