4a8fccf164f4ad88916f0505be31cd9c7f240b15fffd631a280e0be41d5c8b5e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 07:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
Size

5.5MB
MD5

eab91f8c8d4e957ed9ff4f287cde5edf
SHA1

b3806abdbf5dff546483d68d8ac3efd0389600f8
SHA256

4a8fccf164f4ad88916f0505be31cd9c7f240b15fffd631a280e0be41d5c8b5e
SHA512

55499d775c44465500814d3b73c8b27d531a9419f77dc648cde07f1135d9f22945f3169d11b47fbcb9bfdeb580080aa5b59320d073366d5a7589f1c66024c4fd
SSDEEP

49152:XEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfR:DAI5pAdVJn9tbnR1VgBVmufEkKK90

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2132	alg.exe
4052	DiagnosticsHub.StandardCollector.Service.exe
4976	fxssvc.exe
3912	elevation_service.exe
2248	elevation_service.exe
1836	maintenanceservice.exe
3648	msdtc.exe
3972	OSE.EXE
3992	PerceptionSimulationService.exe
668	perfhost.exe
4312	locator.exe
388	SensorDataService.exe
4400	snmptrap.exe
1624	spectrum.exe
3780	ssh-agent.exe
4920	TieringEngineService.exe
3772	AgentService.exe
3720	vds.exe
4108	vssvc.exe
1504	wbengine.exe
5032	WmiApSrv.exe
3856	SearchIndexer.exe
5144	chrmstp.exe
5392	chrmstp.exe
5496	chrmstp.exe
5528	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b8ef8f02c9b3195.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_130421\javaws.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133647246319748941"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000383e16a76cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002bc19e6a76cfda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001941db6976cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c98d086a76cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bf615e6a76cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bc81006b76cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b2633f6a76cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b63e196a76cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b63e196a76cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2948	chrome.exe
2948	chrome.exe
6048	chrome.exe
6048	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4392	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
Token: SeTakeOwnershipPrivilege	760	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
Token: SeAuditPrivilege	4976	fxssvc.exe
Token: SeRestorePrivilege	4920	TieringEngineService.exe
Token: SeManageVolumePrivilege	4920	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3772	AgentService.exe
Token: SeBackupPrivilege	4108	vssvc.exe
Token: SeRestorePrivilege	4108	vssvc.exe
Token: SeAuditPrivilege	4108	vssvc.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeBackupPrivilege	1504	wbengine.exe
Token: SeRestorePrivilege	1504	wbengine.exe
Token: SeSecurityPrivilege	1504	wbengine.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: 33	3856	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
5496	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 760	4392	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe	84
PID 4392 wrote to memory of 760	4392	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe	84
PID 4392 wrote to memory of 2948	4392	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe	85
PID 4392 wrote to memory of 2948	4392	2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe	85
PID 2948 wrote to memory of 2936	2948	chrome.exe	86
PID 2948 wrote to memory of 2936	2948	chrome.exe	86
PID 2948 wrote to memory of 1628	2948	chrome.exe	106
PID 2948 wrote to memory of 1628	2948	chrome.exe	106
PID 2948 wrote to memory of 1628	2948	chrome.exe	106
PID 2948 wrote to memory of 1628	2948	chrome.exe	106
PID 2948 wrote to memory of 1628	2948	chrome.exe	106
PID 2948 wrote to memory of 1628	2948	chrome.exe	106
PID 2948 wrote to memory of 1628	2948	chrome.exe	106
PID 2948 wrote to memory of 1628	2948	chrome.exe	106
PID 2948 wrote to memory of 1628	2948	chrome.exe	106
PID 2948 wrote to memory of 1628	2948	chrome.exe	106
PID 2948 wrote to memory of 1628	2948	chrome.exe	106
PID 2948 wrote to memory of 1628	2948	chrome.exe	106
PID 2948 wrote to memory of 1628	2948	chrome.exe	106
PID 2948 wrote to memory of 1628	2948	chrome.exe	106
PID 2948 wrote to memory of 1628	2948	chrome.exe	106
PID 2948 wrote to memory of 1628	2948	chrome.exe	106
PID 2948 wrote to memory of 1628	2948	chrome.exe	106
PID 2948 wrote to memory of 1628	2948	chrome.exe	106
PID 2948 wrote to memory of 1628	2948	chrome.exe	106
PID 2948 wrote to memory of 1628	2948	chrome.exe	106
PID 2948 wrote to memory of 1628	2948	chrome.exe	106
PID 2948 wrote to memory of 1628	2948	chrome.exe	106
PID 2948 wrote to memory of 1628	2948	chrome.exe	106
PID 2948 wrote to memory of 1628	2948	chrome.exe	106
PID 2948 wrote to memory of 1628	2948	chrome.exe	106
PID 2948 wrote to memory of 1628	2948	chrome.exe	106
PID 2948 wrote to memory of 1628	2948	chrome.exe	106
PID 2948 wrote to memory of 1628	2948	chrome.exe	106
PID 2948 wrote to memory of 1628	2948	chrome.exe	106
PID 2948 wrote to memory of 1628	2948	chrome.exe	106
PID 2948 wrote to memory of 1628	2948	chrome.exe	106
PID 2948 wrote to memory of 4872	2948	chrome.exe	107
PID 2948 wrote to memory of 4872	2948	chrome.exe	107
PID 2948 wrote to memory of 212	2948	chrome.exe	108
PID 2948 wrote to memory of 212	2948	chrome.exe	108
PID 2948 wrote to memory of 212	2948	chrome.exe	108
PID 2948 wrote to memory of 212	2948	chrome.exe	108
PID 2948 wrote to memory of 212	2948	chrome.exe	108
PID 2948 wrote to memory of 212	2948	chrome.exe	108
PID 2948 wrote to memory of 212	2948	chrome.exe	108
PID 2948 wrote to memory of 212	2948	chrome.exe	108
PID 2948 wrote to memory of 212	2948	chrome.exe	108
PID 2948 wrote to memory of 212	2948	chrome.exe	108
PID 2948 wrote to memory of 212	2948	chrome.exe	108
PID 2948 wrote to memory of 212	2948	chrome.exe	108
PID 2948 wrote to memory of 212	2948	chrome.exe	108
PID 2948 wrote to memory of 212	2948	chrome.exe	108
PID 2948 wrote to memory of 212	2948	chrome.exe	108
PID 2948 wrote to memory of 212	2948	chrome.exe	108
PID 2948 wrote to memory of 212	2948	chrome.exe	108
PID 2948 wrote to memory of 212	2948	chrome.exe	108
PID 2948 wrote to memory of 212	2948	chrome.exe	108
PID 2948 wrote to memory of 212	2948	chrome.exe	108
PID 2948 wrote to memory of 212	2948	chrome.exe	108
PID 2948 wrote to memory of 212	2948	chrome.exe	108
PID 2948 wrote to memory of 212	2948	chrome.exe	108
PID 2948 wrote to memory of 212	2948	chrome.exe	108
PID 2948 wrote to memory of 212	2948	chrome.exe	108

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Users\Admin\AppData\Local\Temp\2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-07-06_eab91f8c8d4e957ed9ff4f287cde5edf_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc535eab58,0x7ffc535eab68,0x7ffc535eab78
    3⤵
    PID:2936
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1924,i,12779914031580577900,11125788667962427892,131072 /prefetch:2
    3⤵
    PID:1628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1924,i,12779914031580577900,11125788667962427892,131072 /prefetch:8
    3⤵
    PID:4872
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2224 --field-trial-handle=1924,i,12779914031580577900,11125788667962427892,131072 /prefetch:8
    3⤵
    PID:212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1924,i,12779914031580577900,11125788667962427892,131072 /prefetch:1
    3⤵
    PID:1924
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1924,i,12779914031580577900,11125788667962427892,131072 /prefetch:1
    3⤵
    PID:2996
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4360 --field-trial-handle=1924,i,12779914031580577900,11125788667962427892,131072 /prefetch:1
    3⤵
    PID:2304
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4600 --field-trial-handle=1924,i,12779914031580577900,11125788667962427892,131072 /prefetch:8
    3⤵
    PID:5640
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4668 --field-trial-handle=1924,i,12779914031580577900,11125788667962427892,131072 /prefetch:8
    3⤵
    PID:6092
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5144
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5392
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5496
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5528
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 --field-trial-handle=1924,i,12779914031580577900,11125788667962427892,131072 /prefetch:8
    3⤵
    PID:5152
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1564 --field-trial-handle=1924,i,12779914031580577900,11125788667962427892,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6048

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2132

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1656

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3912

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2248

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1836

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3648

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3972

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3992

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:668

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4312

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:388

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4400

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1624

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3780

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3832

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3772

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3720

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4108

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5032

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3856
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5856
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
18a7014825a2b38249126cad78064f4a

SHA1
99214d66dae9972addd847f32b00958fe378624d

SHA256
e5762fd75c2df1bfc4f592ce4b35ceb17cb09031c9c2d736ee245e15f70ebe50

SHA512
44d0a836cae9f867375d5b7ef0b4149e676617b8080faec3fca7effb2f13f524df5c16906a8f61e3a4fa9d0d397194b0040d2f0601ba19387fde2bc6ac9ee1ad

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
1b9caf9ef2d4a00fc5dea80741523f3f

SHA1
62f6b7ae47a337fba7bb23abb564b8e46d1461e5

SHA256
2100f49c9994b88b550f78b9cdfd45c82032276f7f142a12793655f8a3814803

SHA512
eee8daa71f304d3cc84893a1ff09745d65c3a22ac910933571cba8cda0148a462c72758b639ad936129e98fefbb3ed40e96773822e3e601d2979083da818993b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
c5824f926b961f00fcbda11d3bd140f6

SHA1
9bb5aa28c65b6fab98e1fb21be4cf16b707f34ab

SHA256
2e7f9b7fdd40843f854d08f73f6a04e5eb7feddb5f61fe4114455502e749f399

SHA512
012f5200cb72999e0f8c11a1796932a94900746e6a4286bee18fe214045acdd5de235e4e8f74250ee7bbb26e9b8a3797e32c70899541467108eb86ea1cd3f660

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
8d6438a63e6f184e98c759dcb091b2f6

SHA1
b8fb4f2c869c6871983a848eced7c3b9da5a44ec

SHA256
46f5d0465525440dd2d8580f720cae25703c5fe81a9f595eec19e317e93734d6

SHA512
c0fd3905300c4fc931d595a2ea60f54dbb14a8dd4120bfbc2831a3db3a8bad260754e2e66030be3a0e3e7a3798b7f7796dbc820104dc841ba718c962db03c282

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
c6f240b546b345e72800dc85e33f937a

SHA1
d3fca548ab36bc2bab9a8548d1978c0eca0576ea

SHA256
0513fd92d31b4712370de368da197539b00b33093d667012abbceadd0bdfc3df

SHA512
f9161378186137c9851d5139f8b291105ed7fd3141289d330e5cb9ecf46d14b1e96127e733444c5922b5e304aec2ffc420a5edf8a99058505a4f6588efaef9e4

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\dd446065-0dcb-4de3-b8ff-7cd86a36fb37.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ce3e35fd10a3385b03394669100420fc

SHA1
f25fab308b36526c8ac5b51ac73178c91129337d

SHA256
12164ec23f6d01efec3b166fda397c8c116ae714f57c0160741c0089e0bee6a2

SHA512
c06e80d2491c44e934cefde10cc9e50633553c49224df4a250d40f7079ac144e7e84a24ce427b8db9332df34fdb11fffc5b356e46556e03fd1beccaaca452848

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
bc8fd92c4fe70d3895a08c885bab282d

SHA1
af31bac7455ffb16504f22b9cb4710afc1420ca2

SHA256
67e40a252aa6be9ec7bdb162c83697042325554f5af25b661ce16a0a40b75369

SHA512
d41d4255a6a8b2099c7edf962387268cf5b965bdf35ae1b5c78a3b5f6494dab8121d87bdef201e7ccbf6f2d7539434d5e13145eae3e640df62c5d3ed505d33e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
5a1e747e125a452f5c8b5512211ba498

SHA1
b7d72abf70f49a8f813f46eb2a2133acdcfeb1ab

SHA256
df07f59f508a7da32e0fdba9e90afbad2197aa5733f3328fa0787c6b7936901d

SHA512
07238224dedaabc057bffad9aebc9e752d1f576c686436b9dac4a5e4bf51ea9a470a8f7ab757fd961ec3126f6b7bf23746aa53cd501431500597eea7d19cc588

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e490e0ed50c6c723b57977be2ef085cd

SHA1
d242a49e8d7c92d2b50a0fcbd4a8a83195b118fb

SHA256
1ea18334c0f5b29c8b47a415b86ecd4aab1cc3913172fa7768aee0d806541ac6

SHA512
9ab7b75bf4b9231a380122ff0df0c918ee15b69453ea99dd99ae33909714131d564219a5e0dedc98e8783a387086d24b8ee50a9351ef246361c3d1cc002e57ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57bbbe.TMP

Filesize
2KB

MD5
a075394cf373a1375d743f487133dd66

SHA1
3afefc84c2ea9c9feee37f0d49390673339da665

SHA256
5a3db643c3c682219a4e9dab1fb3c32ec4cc7acdbabb33dfb8d79da449c9f60b

SHA512
a864fafa35a2a5a9acc4b1e3b2bed5c2105f447ca712e8b620ec31a90baaa1ab337ed37d1ccb112485f4c042be301ced9df19077926a002859df5700515d66a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
ecc14aef6c318fb859db170f26f7112c

SHA1
03b6d4e90e4d96dc26c2d9032ac838e01b7736f1

SHA256
aae5bf778b527e5e907f50e506ecf9f948bf4be99e80f8764b52ce25187b2a2a

SHA512
1d2a030765075064787a9cedf1c5f263e792a6bfcc8ce122dcd82d863005e64190d0440cbfc2897286b41c1455b9722ffef66fa79f7ae1b3329c0eb9ccb62978

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
285KB

MD5
1e59289db37b08aede56463c33d825da

SHA1
370189825d4a89164684967392803e1527b000b0

SHA256
1d3736800c7533872e6c8ce4e235b4a1ae17c20d4d27feef35b8ea12e8dd125a

SHA512
fb0c7449e50053542855abf3b303990d1ce1ad413a9eff8fe0a9d5430036d619ed8784c9bef680f274ed09cba0828af90451734c0bfd48e9ab12c0eb26a39292

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
3e3a3d9c2dc14dda5f4174715c222cac

SHA1
75ca0d89487b8872e00836fef5766527d08e15a7

SHA256
e702681ffe81beeeaf4d62954d7410203528cbddfe12020a7839bc77f473d914

SHA512
545bf659e1c0bc60240922bb32f4c39cf13b51b12c80e20703fc06f953a89b80759699a102a77fb540b3602b4ed92729a555eeee1c82d871080ec93a2c3195ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
79eced0a6e6d6c397246620100c6d1b8

SHA1
20a2ce43e68857bb6e2cebadd414cdf0bafeccfd

SHA256
7a0433dc0ed0f6337082a43d2ee34749fc727c6a2099897e7fcb06549d9c3e96

SHA512
99c194b18b55a62701f4443b3732fee0041eec72d1959841b498bdcec41ae5f44233054791b8c4f4ed0a56b8fc93341a6393d8453ad29092adee49bf9c2cdd79

Download Submit
C:\Users\Admin\AppData\Roaming\b8ef8f02c9b3195.bin

Filesize
12KB

MD5
7dd4713ca6e3ba1aaade5291cce87667

SHA1
6e2e8c9e488d4e634c1f1212323186c1ab70449f

SHA256
13eaf82fb5459f7311ce983ea38af49a7bf64e445111d0a644f15a8785f096a4

SHA512
33e1c8d4494f1f59940ac555f2f392f3b9b7ae273f2b6cb3da9c7fd0137ec74ad343a359ace59f973a22d3da6903a4fc22226b65316b87cb1c976e9085efa7ad

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
0cd9a9fb1d5e17d626b99d9c9a9591dd

SHA1
3e2c1786293698ff1559dedc419a624a9f22b97c

SHA256
e061605a01b0022b9298dd128da1eb33b2a72f4248713be973f546ef0a3fcdcb

SHA512
6fbeebf2eb66f7599e3de255c24b41a02d18d1f5fa55d4f61d94e6f16cc93e36b52aee45af23e7fe35e50a236cae4f87dedcb9c439bc2849d8ac523f3e5b3f24

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
d03d5e719a86bbe7d9d8148d6bf15b6b

SHA1
0fdad700047599f8607f77938464b198d310c171

SHA256
78d46ed7e3f413e5df9d3e9c69c8aabfc55d0268eb2e7d243e82523bc41989ff

SHA512
b5579dc6f89ade3982f0bf26ee0a37e96fbec72b0b2b4031251112409836a5527c764bb7131f566141d39bcb5d7ea019a0009e6221d6b1765e3d7d6e755511a9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
34ab47b613761e6e5f7116041500c232

SHA1
f2205547c0783823e3685ca45cd5e6ee23dd78f3

SHA256
be584022e012280ced3b9483e683c54b63511d0346dc3f28d8547482c2bf5087

SHA512
fa1ef3a699964eda1273f4e47057f3f2559d8073f1716620ba11ccc2d9d81a8e662b7616285296d99e622312ee01da3658daab801681cd9b227aa8dc926511cd

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d7a95545351b8eaaa5d92922c1a21032

SHA1
018ea8315d08e5e6e3ffa162d866b8e685f52b45

SHA256
c92279336da61b22d960625f4dc31d16f6a22db1e035e908c2dc9e9267e63337

SHA512
276ea94a63a9b783c69271ebe710ff6516c9515563722ea738359e8f79b0e2888d4c9b6589daa3f87d084e18d7730bc7fbb25e39d395f11d7f5d3e8ec4eb8b86

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
77dc76417852052e9f5deb4b1b8bac2f

SHA1
a0db220759496fc04495eb87b4764d1762b71ed8

SHA256
e84f2743fb5ae4eabd99589dc54250941ce2585be4477ad0d256417800ad07fc

SHA512
b2cc6f3553dea9bf9060da2725589a3a5054b650642cf66874ba8bfeb9e8af94a7ce715c25aaf1d3a3ca3ce7e29c7d0de380eb2590e0e87819389e1b342e1f9f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
58b1773fbf946dcf8e7a4373719d8506

SHA1
15abfd5b19c0682659ac7041b41d9808d6739e64

SHA256
d5766a8d3ed84b3e4088529de4cf86c13a15e94b40cfe35c5226634b830d06c3

SHA512
c52c5e38eeb6b39a656c7f2809913b7121baad201fe1e38e9b0359e83cff7845da3c063b94135646a610eed73a7c78035f6081053f6edf0ce8c5751ea207fb39

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
c78a4a151d28d1ac42d8ecf0167e949c

SHA1
fefb32eb25d910e90df14543f194ba12527e11ef

SHA256
099ce51a74a1c63e7e50961283ada6b5c876255695d9678b464292c58fbb3850

SHA512
a8a42d537b84b3e9d30595209162c0a60976c34239ad4cd09313958c39c433408c83552f5536d42eafe0447abe1f2175b4b32c165b0b051324ce5ae692331f26

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
0b8640503d81af99c6c9d4d66edbc045

SHA1
523a7137dd797bfa84e3c2b3c5a2bcc3f820d940

SHA256
f2ededf9d2130081c1ac62eb58500fb343ff1dc9359d2eeb1067aeb8e78f86b0

SHA512
7cf19d96dee0e648f2d74e620ae806d545a5d3b1101a640b3c225ab932aa63ec82638c6b61d29b4dd9208c40a160af3816480aaac8010602490c16130c3c2597

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
755002711d84ebaa10eb54dd7d0f9f01

SHA1
40cdaddb0159cc0db1f20a63f942b344730bede1

SHA256
0a79a65a793092c9a704544b1e4b84c5946c873674f9b7ef4d5a7b860bd5dbd3

SHA512
7fcbfc2256eb6941785a53dc17032b78b02e092914780f66b1a086be9d3fd26771dc5e001611f265e7c9456c2ee6bae6fccdcf8a09f8544263262f3e6be0fdf4

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
06d04fb89d0eadcb9e57661f9cadef7c

SHA1
dda58a418549a8c13dbf395de48458608b66332b

SHA256
dcf90feff9f99bebee81e43f0438b6be9f087749b7b2b46bba5d3c1cb607b962

SHA512
365ec655f50ebf2ea0a3c507ee127f18d6e412661eb8e6f813d0f9020169eb3ae924ad8dac04d58dfdfd155241a15dd17d819a9226d1269511385c0e9639558c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
481c58441aca41c396c24f0ee15e8249

SHA1
d74acc614ce045eac1ea5734d67b78265ed5b382

SHA256
d26d28ffce3430fc795f3a8e99d4d919df6c8bc1b55f1bc048b9980e0d5e8a8c

SHA512
fec6b05f7b48eac3e916d83a80dd496448d40297656d71d446b9f9fd285f3b9076bbb374834e878be0209334e39abfd02d2395e8b5a62e334e07815a5a1ed0bb

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e5ed2cfd700f3b232a38719617ca15b6

SHA1
f087e4674315e91ee21b69f848b44d06b4e8c58c

SHA256
3817fbd58a5509ff0c6ca739034693d37d86e32c82285edaf1f503f948eb31f9

SHA512
e7a5e917890f5b1537805314ad93acb3492113eae34095c3c05f8fc4a9420752ef4865fdee3c554e8532b6a956c9a0f02fdda9c7e87400a03df9740530dff48a

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
f1fa58913ca846eb53e1ac4719ca8031

SHA1
cae955174165cd7990b14d1cebe36dfc10d1c2bf

SHA256
18fbf11509a3b0159283b993c90a97b7d2db890232ea72af813ceb220ab8a410

SHA512
62b405cfb5ba6e51b36ee17c3efb06590062b78d094ada2e86cc5b7f9b455a2060cbf97ddf362ac39ffb74b74dd42a2a2fc83bb6e7e2e1ac9a590a8a492d2e02

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
9ac5b3e71a0a09b19ce65b999bb26bf4

SHA1
582c2e9599d390c0df223dd557e2ac116669ecf0

SHA256
892f9e45ddd5342f7a8e48eba9c05eebb9c6a68a65e47cd86c796436c9d799e5

SHA512
2d54ba9e0e3ba8210476de0ccf31185f12616369567acbc9bf82b3e38e3098f1400f2765120f69a4b0c7dbd0493793f2bc48b0037d635bc16531668095a2c779

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
523ab456a423b3425eac96e9ce620f1f

SHA1
6f2d6349072a765f89ab5c2ffa1181d67732b5ff

SHA256
fd1fe8445a78dc15bc429ff6011414d170b81c1d99c1c47be68b98b9cfc531ad

SHA512
27d7f3f00346dcdfdc2963f37a93254ce2f39f39ca8f78b297c383810305c13bb6cbf98271ccb79376a3f1facae98ba35e9e49c9a1fa52166590814e5574af6e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
9172828e928fcc8c650a98a7cca7a6b6

SHA1
5f946e8b9369861217a8e0c4fc2c985a67cd104a

SHA256
8b04da81794ca53067f346e977b6d85d890421622154e84af008ccfc90e5fa46

SHA512
c32efb9e200d8a076374079c7141fcde94e95e4f9ad6451b1f7de6320a53ebd00c9d6094cdf405c5ae7d8acbc8891eea10a7dacfe4663e17edb52b0f5c44afa6

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
be71e8014a2f2bc05f3b410826ad06f5

SHA1
0254ba8567ab2c1f6f8403daaf4a2e0cbc126269

SHA256
b7af1cb7448d84e8acdb2536683ea11d332dae3d46643bf97069d0953c1a94c3

SHA512
b2813c405a0a05926b49b0fe8a8681989b3029359bda0f8083c0da6702960efbf62bae1d31ab13652d082ddca167364946aa3a81995acc2081a6c7d70987ba50

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a27b477dcdceea2371889b799b6f0def

SHA1
14e82818a1797096b075476f9e0f2ac72218e2f3

SHA256
29c0782bf60d924bc218bd04068b847d6371835aca642dfd4e99ba09d8900b29

SHA512
a11635752b6ed1b099a2ec7a0550ccefb7f7c8238721df5ba8d6b803dee729d096a62e4dbfca20d9b641f2879e85a0f994e278c1fb40609f1daec1fffc081f0a

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
39e76555b185e8de64f34c9ae2771689

SHA1
d877c73c73b16ba52b43e8e6f9d18478e873090b

SHA256
e0ecdec20c15f3b2442c1ec26b350c16ef9d4f35251fd8cb90153f2c523484e9

SHA512
2ebb945e0594e2ac51b014073ac614886b62e187e87b9c6dc5b5f7df9b55f6c3a035b75517d9b6d961a086c435dc36534815d92bd4627a6c8de2b2bcfdff6c95

Download Submit
memory/388-186-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/388-590-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/668-184-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/760-25-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/760-247-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/760-17-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/760-11-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1504-736-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1504-279-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1624-188-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1624-554-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1836-91-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/1836-103-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2132-300-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2132-38-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2132-35-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2248-87-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2248-180-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2248-81-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2248-553-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3648-181-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3720-256-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3720-622-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3772-229-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3772-242-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3780-201-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3856-303-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3856-740-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3912-73-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/3912-67-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/3912-245-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3912-75-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3972-182-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3992-183-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4052-42-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4052-50-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4052-52-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4108-735-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4108-278-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4312-185-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4392-10-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4392-0-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/4392-6-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/4392-26-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4392-24-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/4400-187-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4920-212-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4920-612-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4976-79-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4976-77-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/4976-55-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4976-62-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/4976-56-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/5032-302-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5032-739-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5144-578-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5144-519-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5392-528-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5392-741-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5496-567-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5496-542-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5528-742-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5528-558-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download