2f63ef5b3a424816546ee2bb337d5e7b312318aca23df8f675ec02545369bc5c

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
Size

5.5MB
MD5

d85e3df6a4cc70f3d6a40d376df0b2e7
SHA1

31f0b65237407ee7212a15835a79246992bf067a
SHA256

2f63ef5b3a424816546ee2bb337d5e7b312318aca23df8f675ec02545369bc5c
SHA512

9c75be707121f590a0d6370fd2326bc752af53835b0be129e4326b96eb12436fd96b1e40eb770cefb1c2eb212edca8be8ae74163e2e4746e86bc9f380a1932cb
SSDEEP

49152:CEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGf8:IAI5pAdVJn9tbnR1VgBVmynlS

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
552	alg.exe
2068	DiagnosticsHub.StandardCollector.Service.exe
6004	fxssvc.exe
5356	elevation_service.exe
5188	elevation_service.exe
2768	maintenanceservice.exe
2384	msdtc.exe
2344	OSE.EXE
5060	PerceptionSimulationService.exe
4524	perfhost.exe
728	locator.exe
4588	SensorDataService.exe
1704	snmptrap.exe
3456	spectrum.exe
3068	ssh-agent.exe
6132	TieringEngineService.exe
4064	AgentService.exe
5600	vds.exe
2896	vssvc.exe
4196	wbengine.exe
4480	WmiApSrv.exe
5232	SearchIndexer.exe
4064	chrmstp.exe
1036	chrmstp.exe
2260	chrmstp.exe
408	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\68002c3bb5459c0.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaw.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b0f2cc91f3aada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000acaf6c92f3aada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001abdfb92f3aada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000043b7d191f3aada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000304ff91f3aada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c50dcc92f3aada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000096d93592f3aada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000238a6592f3aada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000df1eb91f3aada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000018031e92f3aada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133607101913316336"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
3112	chrome.exe
3112	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4628	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
Token: SeTakeOwnershipPrivilege	4908	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
Token: SeAuditPrivilege	6004	fxssvc.exe
Token: SeRestorePrivilege	6132	TieringEngineService.exe
Token: SeManageVolumePrivilege	6132	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4064	AgentService.exe
Token: SeBackupPrivilege	2896	vssvc.exe
Token: SeRestorePrivilege	2896	vssvc.exe
Token: SeAuditPrivilege	2896	vssvc.exe
Token: SeBackupPrivilege	4196	wbengine.exe
Token: SeRestorePrivilege	4196	wbengine.exe
Token: SeSecurityPrivilege	4196	wbengine.exe
Token: 33	5232	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5232	SearchIndexer.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe
Token: SeShutdownPrivilege	4176	chrome.exe
Token: SeCreatePagefilePrivilege	4176	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4176	chrome.exe
4176	chrome.exe
4176	chrome.exe
2260	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4628 wrote to memory of 4908	4628	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe	82
PID 4628 wrote to memory of 4908	4628	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe	82
PID 4628 wrote to memory of 4176	4628	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe	84
PID 4628 wrote to memory of 4176	4628	2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe	84
PID 4176 wrote to memory of 2676	4176	chrome.exe	85
PID 4176 wrote to memory of 2676	4176	chrome.exe	85
PID 4176 wrote to memory of 4568	4176	chrome.exe	111
PID 4176 wrote to memory of 4568	4176	chrome.exe	111
PID 4176 wrote to memory of 4568	4176	chrome.exe	111
PID 4176 wrote to memory of 4568	4176	chrome.exe	111
PID 4176 wrote to memory of 4568	4176	chrome.exe	111
PID 4176 wrote to memory of 4568	4176	chrome.exe	111
PID 4176 wrote to memory of 4568	4176	chrome.exe	111
PID 4176 wrote to memory of 4568	4176	chrome.exe	111
PID 4176 wrote to memory of 4568	4176	chrome.exe	111
PID 4176 wrote to memory of 4568	4176	chrome.exe	111
PID 4176 wrote to memory of 4568	4176	chrome.exe	111
PID 4176 wrote to memory of 4568	4176	chrome.exe	111
PID 4176 wrote to memory of 4568	4176	chrome.exe	111
PID 4176 wrote to memory of 4568	4176	chrome.exe	111
PID 4176 wrote to memory of 4568	4176	chrome.exe	111
PID 4176 wrote to memory of 4568	4176	chrome.exe	111
PID 4176 wrote to memory of 4568	4176	chrome.exe	111
PID 4176 wrote to memory of 4568	4176	chrome.exe	111
PID 4176 wrote to memory of 4568	4176	chrome.exe	111
PID 4176 wrote to memory of 4568	4176	chrome.exe	111
PID 4176 wrote to memory of 4568	4176	chrome.exe	111
PID 4176 wrote to memory of 4568	4176	chrome.exe	111
PID 4176 wrote to memory of 4568	4176	chrome.exe	111
PID 4176 wrote to memory of 4568	4176	chrome.exe	111
PID 4176 wrote to memory of 4568	4176	chrome.exe	111
PID 4176 wrote to memory of 4568	4176	chrome.exe	111
PID 4176 wrote to memory of 4568	4176	chrome.exe	111
PID 4176 wrote to memory of 4568	4176	chrome.exe	111
PID 4176 wrote to memory of 4568	4176	chrome.exe	111
PID 4176 wrote to memory of 4568	4176	chrome.exe	111
PID 4176 wrote to memory of 4568	4176	chrome.exe	111
PID 4176 wrote to memory of 5964	4176	chrome.exe	112
PID 4176 wrote to memory of 5964	4176	chrome.exe	112
PID 4176 wrote to memory of 3620	4176	chrome.exe	113
PID 4176 wrote to memory of 3620	4176	chrome.exe	113
PID 4176 wrote to memory of 3620	4176	chrome.exe	113
PID 4176 wrote to memory of 3620	4176	chrome.exe	113
PID 4176 wrote to memory of 3620	4176	chrome.exe	113
PID 4176 wrote to memory of 3620	4176	chrome.exe	113
PID 4176 wrote to memory of 3620	4176	chrome.exe	113
PID 4176 wrote to memory of 3620	4176	chrome.exe	113
PID 4176 wrote to memory of 3620	4176	chrome.exe	113
PID 4176 wrote to memory of 3620	4176	chrome.exe	113
PID 4176 wrote to memory of 3620	4176	chrome.exe	113
PID 4176 wrote to memory of 3620	4176	chrome.exe	113
PID 4176 wrote to memory of 3620	4176	chrome.exe	113
PID 4176 wrote to memory of 3620	4176	chrome.exe	113
PID 4176 wrote to memory of 3620	4176	chrome.exe	113
PID 4176 wrote to memory of 3620	4176	chrome.exe	113
PID 4176 wrote to memory of 3620	4176	chrome.exe	113
PID 4176 wrote to memory of 3620	4176	chrome.exe	113
PID 4176 wrote to memory of 3620	4176	chrome.exe	113
PID 4176 wrote to memory of 3620	4176	chrome.exe	113
PID 4176 wrote to memory of 3620	4176	chrome.exe	113
PID 4176 wrote to memory of 3620	4176	chrome.exe	113
PID 4176 wrote to memory of 3620	4176	chrome.exe	113
PID 4176 wrote to memory of 3620	4176	chrome.exe	113
PID 4176 wrote to memory of 3620	4176	chrome.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Users\Admin\AppData\Local\Temp\2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-05-20_d85e3df6a4cc70f3d6a40d376df0b2e7_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x274,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4176
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc634aab58,0x7ffc634aab68,0x7ffc634aab78
    3⤵
    PID:2676
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1932,i,3346536880271736687,14314669058947937996,131072 /prefetch:2
    3⤵
    PID:4568
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1932,i,3346536880271736687,14314669058947937996,131072 /prefetch:8
    3⤵
    PID:5964
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2172 --field-trial-handle=1932,i,3346536880271736687,14314669058947937996,131072 /prefetch:8
    3⤵
    PID:3620
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1932,i,3346536880271736687,14314669058947937996,131072 /prefetch:1
    3⤵
    PID:3760
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2952 --field-trial-handle=1932,i,3346536880271736687,14314669058947937996,131072 /prefetch:1
    3⤵
    PID:436
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4324 --field-trial-handle=1932,i,3346536880271736687,14314669058947937996,131072 /prefetch:1
    3⤵
    PID:5652
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4588 --field-trial-handle=1932,i,3346536880271736687,14314669058947937996,131072 /prefetch:8
    3⤵
    PID:3764
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4596 --field-trial-handle=1932,i,3346536880271736687,14314669058947937996,131072 /prefetch:8
    3⤵
    PID:2480
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4832 --field-trial-handle=1932,i,3346536880271736687,14314669058947937996,131072 /prefetch:8
    3⤵
    PID:4756
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4612 --field-trial-handle=1932,i,3346536880271736687,14314669058947937996,131072 /prefetch:8
    3⤵
    PID:2020
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:4064
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:1036
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:2260
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:408
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4756 --field-trial-handle=1932,i,3346536880271736687,14314669058947937996,131072 /prefetch:8
    3⤵
    PID:1444
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4512 --field-trial-handle=1932,i,3346536880271736687,14314669058947937996,131072 /prefetch:8
    3⤵
    PID:3868
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 --field-trial-handle=1932,i,3346536880271736687,14314669058947937996,131072 /prefetch:8
    3⤵
    PID:4056
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4756 --field-trial-handle=1932,i,3346536880271736687,14314669058947937996,131072 /prefetch:8
    3⤵
    PID:2224
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1568 --field-trial-handle=1932,i,3346536880271736687,14314669058947937996,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3112

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:552

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2068

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5748

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6004

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5356

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5188

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2768

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2384

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2344

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5060

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4524

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:728

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4588

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1704

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3456

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3068

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:6132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:6028

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5600

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4196

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4480

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5232
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2100
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8737fe67b441b678b7f45fa20ddcbab3

SHA1
0b1034bab99ee172c0bfc85b92bc31629fa0fe34

SHA256
74e5fe8aee9e53cd106317f2e329114abf4a8c726b35d9b588f7bb365ce48e27

SHA512
836753b070e55753124babdf0719eec08a80a8242a4a19296b4e1528a0309c9684da679dfd766876a0826192468175c82222a443f9a69192f0af38323cc72548

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
7ed98a8acbd87956a90a2625046a873c

SHA1
9b0c0269217d5a004348c5d5ff92509c9d5d441c

SHA256
2557f2078e535dae4e54b4c3018ecbbd96c2a07aa6509f370b855b400d1092d3

SHA512
30b4f02a8082b36970826a8344d7ef47a3680fc11faacf8e69def47cff952d39e64c6c6565dbde18fd7c2342fbb3d0e1caabf449924b8d4e148d77841600ec83

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
c255901e24bae00970d1c390ca118742

SHA1
14352fbbc2cdba7616adb6f280706a2a625c2191

SHA256
078b6ca033678e5dea213bfe65ad0b092ef279caa266d7b9432e243c2847a862

SHA512
d716ecd318ba3c8679e479347402f2090144f81be2d706692dd97afaec2bf2962dfd5cec7561299975d4feadb4b109d0f608731dbdbb34c68cd1df31f8c828bf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
76dd0e8594691920964f7c6b3742b5ed

SHA1
202a23391cabef933badf0b8b21ced7fc57a422c

SHA256
42537c3d6469c84b84163e17e630a1e36523cb087f566a71b7d3f309580a03a6

SHA512
5a2cbb0b04428420e90708a2a9f9a22d2d036dac9a2963cf16108649b9b2009d7fe7e20f021205d555e15327be0cbd8db911db722156d7d943a17b0db18a8894

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
7e7215c616f4b2e23b1af31a7db54f5a

SHA1
935b13db760d43bb967063c3949aba1cf722c4d1

SHA256
b3b964d04c4ac811e723ba1749832f35a9ac99850240e693084530fc939c1100

SHA512
6459b3e9cbd6cc3769fa24e905935317aa8e3b2cd75c2b90ea998a1aff853ce233642fefc456eff708eb9c1b13d697c7277623b9e31ba22db8247558f64137c0

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\261c5686-2aef-4d60-83e6-e2e60475cf91.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
772424160a740ab46f10d75ee3f72e87

SHA1
ce1d08ca4145f6a14ce3727642af5a997f73d1e5

SHA256
00ee43ab7fd127a5e0b86cb4db053f67544834eac165db5b54f4b1d406952b84

SHA512
920600c6e67f96b735a40de5e0c4bc1c585f49dc7e92bb07295bc0fed6b1ec3814f5813690d169d574b7184a6cad67cbf97718c224b0cd95cf7df239ab536d88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\4aa716a4-9042-4692-b112-084b746a1517.tmp

Filesize
16KB

MD5
bbcc87da924b94c910e8accfedbbb090

SHA1
394d4b953f5f3b67b8070332db2b88f13a39313a

SHA256
f874e209e560b93ab6273163d039aadbbe67b235f81ce8506db7e11705121eab

SHA512
1066b076117ac13bd829f0dd6b936ad09bfca6159a5573bde5a6d470a2c87c98c578105fec257a18e1a2ecceb715197c7e7dd1273a1a7801c90e3a3a7fe6b677

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
ce49e2e107c959f4f950c718c6881cb5

SHA1
b1961edb324f26b02779c5da5dd4bd6d265cec64

SHA256
6a2f918df3fc3f53b7d8364d98767527066cbc9aa626b92f5f345aad7d146bf5

SHA512
01cadd4d53d64763a158f4278077e9a9acfa088e73dc32d502cd95255e55858f170eca04d1c71f98c9e5b785c9546f69ec739c9edcbf19f798c9c8a1073c081c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
8b27eb436fbfa0101c1cdee01e7138c4

SHA1
72e2c2856e6a4b36aa1e904348bb0539df32835f

SHA256
4f15021144d7f56a7a654d0a54ef2d47c27859f0e5e9bf1bddd934ce901fc7de

SHA512
5c0339b8e4bb7a4b3924adf83a483a9d8e293e1dd5f8a8f2b4eb328a62ab2fa441e5de22ffc8ff516666177a7b529479755ef2a7950ccbed7003fd7c5f2a8ed1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
99e572aec6cbe966bd9f89da6c3af198

SHA1
700d086049dc97ce2e2ddd8b8ba8eeebb19903ea

SHA256
4273edb7f0e66da40405121b57da8bec457a91ded6d525b5a6b719a725687e4e

SHA512
cbadc4501fb53387d794a798802375e2c0221c1b669fc65bb8e4ced970756d97afc07e8cac02e9cf71c84d5bb89c59a00d8f42d485d529440bf819e19269a39b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57613a.TMP

Filesize
2KB

MD5
62ef0b2d931dee49ed513961ece66048

SHA1
75ab8dd2d029abdc0701a541bf3076082b6e0c26

SHA256
2363d110b62787968a21ae43497d60d50ad3e2a713303aa36834d810f996344a

SHA512
ab8379f396349faf8b51cd6ef4cb31c2d16da749b9902654227175423872fa6d81447d28926892602644a35b30f8bcb9412ee90b0eea93108cf6eb1b8dfbea94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
131KB

MD5
cd61c916b922a933f605d191d301ae07

SHA1
45d698d38c546b223463a0d5220ee4ebd35c4c7f

SHA256
768a83f90896d3b47ddaa2946f240475a53986218997bb600f6103e7720a3db8

SHA512
8fcce470d332fb08d1aa15e6b8c3539330dd376f7f39f748e5e0a30a6e452156d2727069a6257ad23c875b0ff58171bd2b8b30987b5ea4da00fa0d350c35e31b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
262KB

MD5
02c29faf53241403467c8e869e7824cf

SHA1
cdeded0c4221164c30b92dffa9af74b3e80f575f

SHA256
785590869801afcb50a26a2cd413c96c08265d06fb97133b03c641a5afbc67a9

SHA512
f0d24218e3b25b6b7727dd97e1e0692cafe0a422e6a3d832661a66c78bf8720fbc69ebccfdb7edbaeed8bf5bca71c26bcd8a433bea57086b6c6dde1aeae70e3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
262KB

MD5
8985ea985d4fc14ff2d1853e9fab1519

SHA1
197cd1aa7f455e097518110d7d63a047890a12bc

SHA256
d5b71146cc6fa4662030b27038fca8bc9a21f66838ee7d67164e6d11e2816659

SHA512
177fe696b19f1ad77306b1c64ad342c121a39ff5e092d2598d96f8cc782e2bcf5ff0d44d4b4adb03168bf1839479a634348912c4215c83495dc0606d04719794

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
282KB

MD5
e6426dcc5b6300731f09ab6c2bf75372

SHA1
47226338f7d8fd4abbffca9d259d53f798df83ff

SHA256
4258cf94f7f9fcdaeaf105bdb6128bf01fa8ea6b4aaa889c1192441fe56fda5b

SHA512
a9239eb2629aa77d59d6ae4dc774a240ee7aa153192b01e8e1e0bdc09315c2771a6589afaad9bc1085a3388bd490b557e7e7cc95a3634dd79bce770d1651bed5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
91KB

MD5
049d95da1571cfbe4d05e36a1c6607d6

SHA1
d2c7e44288dfedb7a5317ab0d2134fba7cd9206b

SHA256
07f0c41192b1bad16a6733693f7796a563508dc93271abdfb10a87bbbcda0dde

SHA512
bff153c460c93b20698a7261cdb4e635b518269ad5c907176a0c7562bf1f8fdf5cb035a9310d6178d330b1c6d38bc6024faba855885fa2de01bb43bdd7798825

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57d6a9.TMP

Filesize
88KB

MD5
41bd6c9c57d400220e6f06853ccdcc23

SHA1
1eb49ec3a1107d6dc85a76391d120bae773287c3

SHA256
d192f245989534865b5df22da325fe9099ca105ead6a90b8652fa0f75489ed0c

SHA512
e999cf3b88000283a01693f01b960cace7963499e599c96c6f90dede15b966fb92f375055db63d41df3c6003ab53fc0e4a411a0f74d2b8affd9590f269360d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
498cb93c7cc6b015fb6f9935c5bbb022

SHA1
05d9f87d77622bb944726ae665929fe924b67aee

SHA256
b45bd55b5f7e867eebd0fdf24c3c191bd6eef9c8f1ca4fa57d22135430821ba2

SHA512
3b34811be6d50c44b3e2da38824b834514fe58060e408308a4449abf3f552bf4f696d16ba2a097d8b98df2feea2f36de0e0c81309d0c60b504254a34a2aa5543

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
9KB

MD5
faf37cc25c5fbd8ac0b34ae086a6be08

SHA1
9e1a86d5a74726189ee4756eeb73f08846226dff

SHA256
5f82262be23c9377fa89ffa7f45c962b55286ff31aa6fd9c5cd1328e0ce97434

SHA512
3a013d74441c5d4f5c5a2f4cc2ce1fb782eceac44436b8a1389c8bc8e3b4464b924f9ae903300242795d94ddb76a945955841fa9e98ce3fd3fe253880ce312ae

Download Submit
C:\Users\Admin\AppData\Roaming\68002c3bb5459c0.bin

Filesize
12KB

MD5
35689413d7d0854daa09390115813d42

SHA1
6b0ad36ce7e55ee029ebceed7ebf5d493294a568

SHA256
5524920e6393b3605964f9e0fc2c4bbb16c294b15a041f9dfbba34bd1ee9f88d

SHA512
cb12a987787a0e2db4ced139df8caabc0e70c9783f37247436a6128af3bad1ffdfde73a386f35aa633e2aeaa2162a5e0af9011c51a918503322b16af73de5c7b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
a342315666cd16be84bba00c43ca38aa

SHA1
55686902676a1fea56822d99b1a5175a6eee3724

SHA256
76a52bef9079343af76fcb811dda3e69f750657423a584f2bd615f99730d19d6

SHA512
d2f85b00af0067b149b912d74c95a547d3e469073137ec07480e157e47a1eaef217572c0bfb3d391da29d4436b1db3090d376278111f03dbe8792b02b63cf74b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
979725db6ddc2b1839d63b3d6b6217ff

SHA1
4cd2299ac9d8a41b68594dd07a66bb6c8936fd5c

SHA256
667818914e5eeef3f70211080dccc54d5402e763ce8bdf3a091080b7c8d6ef42

SHA512
a9d2ab07d31b7f38582a4e9822751a5a42f3c4b4473f54b4898da77a58ba964d1835dbd9bb0b08565e55023421ec588bbd2f413a2c3f44c98a794220d3a7d04e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
4f217057d9fc86939a41f19d86008493

SHA1
d8a9a29ead2b2c3d00e6440238d8a85be65003ca

SHA256
7383f6dd96b715af94dd21af94df67c5acebcdb5aef26f10249e3f4f23e3fbf1

SHA512
bca84497bccc50039b80598768312e537b72260ce115a98ba61cc9b47fd77597b9a86681e5b1672d2c98fb9abc5463152f0d5a47a877a0c087c82470016bf6f3

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1e15ba7b69efbc8c7048d1ec91bc6a06

SHA1
0e78cfec4e9202dcff0535c5526e111e3a077ada

SHA256
6c32ded7d0629db88f4ee57f4e40f88204838e7fcae80b8daf059bf51739506e

SHA512
bda644285ee0f9b35aa94e601adaa08a833512b42b143b7bde9350751b32019f7cd948a146c65f6590f9de7fc2208d126ac615212ccdeca7c7b468795d16dcde

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
49649c90503e712154a5bd6807a5ddbb

SHA1
e97a53c29fb57852b920cf0ace4d0938fed6f80f

SHA256
cda2da07ab487dedf1b2133ae43ed89fe6116e9929440fe02712b874dda6fe1e

SHA512
4230968cbe8b87132d904b161741292eac02ac0fcc0d160dbbc759cbb62f13eeac8cebab6eaa776343ada5e416096bfc9b2d9e918d70d1b782cfb72d24c8995a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
5ee7befc36600e45fe56d0eb9ed2238a

SHA1
be26de8df0ef4ebf1fe9c859526b11ee59d8be12

SHA256
27dd7f77bb378d0e1d87d143bdacef02bf449891d11255edf041520c83ad91fb

SHA512
5092cb232932d1b5fa4ccbdf5e9b2a80e4c0e13ac2e2625d14fa6a2df196100420fbaea6d9f92eb0fc2b47d1e04742d4a832f2d1eb9b3d0fa78e21c5d576a5a7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
abe70bf5af18448601fb96fc43fa149a

SHA1
af3ee3534df3ae55c7c8f2dd58bf8becbd25b5d3

SHA256
4bb632c5bf2b5ec61b802e5ae2a5fc960980b35ba987707d8c8ea9536cc2b39c

SHA512
8529c75e800cadf7db7b257872f4f8336aa24e48b858172e705712209eac2dfcd6ff62131b5b5c2b8d8eb5a5c5e2f1e21ee53aee46e755869427faed2a3e055f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b288a51e14ea0867f3c8d960f196bed9

SHA1
a3c471d745c7ec0c2a2e736b878682c14825a120

SHA256
5745f6a824e448f3b1c2fc14e31fc24570b7b18fae56aaf408648e4ce5521058

SHA512
2db1c2bbd2fd4e893e7852921f237851e812476c1c1027cb14b53463a70308cfadbda50c13595d0ae280e5abf8e31ace8506fc11e714a66bec1e6f380e89bc99

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f93cb257b0d913a6d2838facb4221103

SHA1
b6c84b32ed30b26f969d7bb335ca3746e449a3a5

SHA256
b6f5a3bdbf91268091d5c7df2b9185c8dac29654abe0b0d2ff1868e51f891b4b

SHA512
ad079c4ff61d0af5489afd792aa0133a78263297cb7e0a840226f06090dec3a32f787ea8d20725edd0b0351a749685d98f826916781fdabc1ffe65a1a2aae926

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
fa6c87ef0882bb89371008fbfa82dfe0

SHA1
ec8a55ff4bf1b6fcd9736ac2a91c514ddde422f7

SHA256
573bdff0ede55e8187b5c4681e9b40d1039bb1794ca751025ac1230d2c799aa1

SHA512
bff2da65a3abae6e997c53262b97ac271fe418fc72bf15bd7d80a2fabdc92c0423c811c7a2055d8ed5104198d6a3a2fa1851eb0d4b6c5eda74bd00a26e620285

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
3f332bfb7248bdadb63d6157eb56fe6c

SHA1
827ec4ad7b60e42e3fe41b63ed230b3b9a3caf22

SHA256
647493f3f16daaf7066c81d1f0746a0dfd0d9062237d8104496c9cfaa2b01e1a

SHA512
0c68951e13bd5371bbeb6b721c8b986896dad880c4bc8942b033096d5854165c82210fe010a0ae973edb40de2076ce5fca34a7e0b7eea3211eaf2719380cbd39

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
1de01f08469e07ec0c09e7865971da9f

SHA1
80e5aae0d66d49f284cbe90432e9abd8916bdb1d

SHA256
ed58d25cb4a1c2fc21fb259252d1a749aac4b7bc08982e26838c151a0cf1b721

SHA512
6482033a20ddd7c4cc3220e40bae67b0cb8c2f49a115a45f310437809b1756b7be1cba5247ba1fd57464bad48af2b5260124af4616d5bec1ba7c43b0c3ce744c

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
9ce95466f597a4dd1a52545a206a0b07

SHA1
e97f4b6d00573afdb8e8b02b1be8ba580e659b24

SHA256
4738f2fb5b59534e6170e2bffdc608b879cf262fbb8e2cb99ba878036eff89a1

SHA512
ab4d7584638f8941e3d228f5de356c8e7c87f27c34bab15ad5988e250c9f8b45b8c6fedce17cdf08ddc68a04a76ef554f51dc13b6243e22f1627b26be81f1479

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
b84eebaf653260f37bb7cee001b46971

SHA1
358430b51976d3f1d4869a0fcb293187daddf242

SHA256
3c3ccb1633b42cce8bdd2f0687be2d45a554cf83dd5a070f07dc8bd2b25731f9

SHA512
77089b14f5a052e43df58076e81425ed58a61c14ed086b5bc87e5c6ee1a8becfde458d0af5b83ef8597fe77e1818ffe46cb54115b7d94890b0dfdc14c7110368

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
86d4ee0d18e3ec7f0a9ae676a2f55f7e

SHA1
a8cb3f9180dbda26d5cfc9e466ea31c3aa317313

SHA256
e81bc16c0c0670a63c748ac93802ad9d2a8e15a2d808c24191e916e26d25e014

SHA512
ac07e00098423a6ae531baf0e4ed4e4bc7625cebbd662c527c4e4dae753f7aad148f2e9019c69d8e864810ea18c02e5df75b28b7ec7f702c05165a5a919a1746

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
8146ad20c125a6b60fd34558ad747653

SHA1
5140d563a77b1c369272d8a9b95cb2d8b5df8317

SHA256
a852aa087336056445d6b56481092d600ce17f0d640f4b66e26a8bb97628286b

SHA512
857335a0673e97be6e4d303d9b7b13ef2972466c354cda924889203bf7a0e02ca38c33c4a3822fcfe1f686e76adbf6eb4ee5dfa4dbaf3a989a269d5b0e42a43f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
a29640d64b34662b49b581d640302368

SHA1
f9d4bdaf60626270ac433320a369c8a8785690fa

SHA256
07a264a1030881a15bd87ffa525647a3cedf6a159d697ef6f5de880e8078581b

SHA512
927d28b52649e19392e89e843f02e7dbbe699cec0f6ec8a801bc5b18301afca10601bde90b9def6c4c5035260b8c001f84afb2646e7913b9604eb16a6d3129b8

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
70cc1c82bf215cf96c55a5183b6c01df

SHA1
5bdc135bdc9d2a81a78f84b45d718740707e263b

SHA256
8a533a1256d0c9ef585a3794ba2d17101b8c7e4c8fcd11002c82008e73c90ae4

SHA512
c6d0571c5b01f5e84546bb45883588f4e509b97f9340c27289adce3f6e488c2ebb00c5abb67530ddb889877565c88dfe812d63674ec51b03efcddc940347c627

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
257036a0fb3d2768f2801e5d32b9ce30

SHA1
0634d123cc54fe889f179f59136e47357ff7f7d3

SHA256
fe6257986f35787b1ef9628e36a811d3484fff46899b61381086da82e363c462

SHA512
381a451ab3b3c97eb3546554811f0784e5341a7f668b9ceb41dc077d34ebd26fbb29b2e0ab21b2a52b8637b3998943c14ce60380b8525378d37ccdceb0f0e5a1

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
405ca30d215cb44c29f5b18af5c7079c

SHA1
d723ee751c421ce5dbe96602332cef68b84b2dbf

SHA256
5b677a2232f401520c39e9c98de065fe56c8bca387a56cbf22a736b21d4252a3

SHA512
c38f6f5052921ff18da2b6245cc2f13b924b0044860a297dd9c13c3551e4ef1dd9fd2daf4601006cb4d5545c8b8287917561aa8cc4bb0556a05c30c214eb8ee5

Download Submit
memory/408-572-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/408-745-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/552-29-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/552-533-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/552-21-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/552-30-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/728-286-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1036-545-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1036-740-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1704-288-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2068-51-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2068-42-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2068-50-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2260-558-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2260-584-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2344-138-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2384-105-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2384-631-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2768-100-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2768-88-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/2896-649-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2896-294-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3068-290-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3456-289-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4064-227-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4064-536-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4064-595-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4196-295-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4480-296-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4480-650-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4524-648-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4524-141-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4588-287-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4588-612-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4628-0-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/4628-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4628-40-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4628-6-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/4628-33-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/4908-517-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4908-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4908-17-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/5060-139-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5060-643-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5188-106-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5188-632-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5188-84-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5188-78-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5232-297-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5232-651-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5356-76-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5356-74-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/5356-456-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5356-67-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/5600-293-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/6004-62-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/6004-103-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/6004-56-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/6004-64-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/6132-292-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download