86ad8a837cd4cf97ea11492d2520cae5c0d93fc652a1ffb7fb4cab3f4a95eaba

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2024, 08:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
Size

5.5MB
MD5

ef056cc71f25b9c93d8bb11ec041e89f
SHA1

d055cbeb2a0c14400159d31ea1a7452ddc508307
SHA256

86ad8a837cd4cf97ea11492d2520cae5c0d93fc652a1ffb7fb4cab3f4a95eaba
SHA512

8723ed184f44e2ad25ba0a0f9ef376278f6bf606c16bfa85425b821d47c53c38ffd7c5ccc1e5af0713cf16433587fa166dd5a755569a66876ae8c3f201953891
SSDEEP

49152:TEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfS:PAI5pAdVJn9tbnR1VgBVmKhG/2o3p8

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
3260	alg.exe
2240	DiagnosticsHub.StandardCollector.Service.exe
2992	fxssvc.exe
1344	elevation_service.exe
2644	elevation_service.exe
512	maintenanceservice.exe
3220	msdtc.exe
3556	OSE.EXE
4448	PerceptionSimulationService.exe
4032	perfhost.exe
2284	locator.exe
2964	SensorDataService.exe
4580	snmptrap.exe
2260	spectrum.exe
3172	ssh-agent.exe
4496	TieringEngineService.exe
1844	AgentService.exe
5188	vds.exe
5268	vssvc.exe
5456	wbengine.exe
5572	WmiApSrv.exe
5704	SearchIndexer.exe
3716	chrmstp.exe
6084	chrmstp.exe
5380	chrmstp.exe
5500	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a75eb026c3136770.bin	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\java.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaws.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e1bad97ffbb3da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000236bea7ffbb3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e22d2d80fbb3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f71f9e7ffbb3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005abf7c7ffbb3da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aa227f7ffbb3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008ecdec7ffbb3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fbd18f7ffbb3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ee7b3b80fbb3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000023b9f87ffbb3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b1bd9b7ffbb3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007f412180fbb3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
2056	chrome.exe
2056	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5036	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
Token: SeTakeOwnershipPrivilege	4264	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
Token: SeAuditPrivilege	2992	fxssvc.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeRestorePrivilege	4496	TieringEngineService.exe
Token: SeManageVolumePrivilege	4496	TieringEngineService.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeAssignPrimaryTokenPrivilege	1844	AgentService.exe
Token: SeBackupPrivilege	5268	vssvc.exe
Token: SeRestorePrivilege	5268	vssvc.exe
Token: SeAuditPrivilege	5268	vssvc.exe
Token: SeBackupPrivilege	5456	wbengine.exe
Token: SeRestorePrivilege	5456	wbengine.exe
Token: SeSecurityPrivilege	5456	wbengine.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: 33	5704	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5704	SearchIndexer.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe
Token: SeShutdownPrivilege	3364	chrome.exe
Token: SeCreatePagefilePrivilege	3364	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3364	chrome.exe
3364	chrome.exe
3364	chrome.exe
5380	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 4264	5036	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe	83
PID 5036 wrote to memory of 4264	5036	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe	83
PID 5036 wrote to memory of 3364	5036	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe	84
PID 5036 wrote to memory of 3364	5036	2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe	84
PID 3364 wrote to memory of 3680	3364	chrome.exe	85
PID 3364 wrote to memory of 3680	3364	chrome.exe	85
PID 3364 wrote to memory of 4652	3364	chrome.exe	92
PID 3364 wrote to memory of 4652	3364	chrome.exe	92
PID 3364 wrote to memory of 4652	3364	chrome.exe	92
PID 3364 wrote to memory of 4652	3364	chrome.exe	92
PID 3364 wrote to memory of 4652	3364	chrome.exe	92
PID 3364 wrote to memory of 4652	3364	chrome.exe	92
PID 3364 wrote to memory of 4652	3364	chrome.exe	92
PID 3364 wrote to memory of 4652	3364	chrome.exe	92
PID 3364 wrote to memory of 4652	3364	chrome.exe	92
PID 3364 wrote to memory of 4652	3364	chrome.exe	92
PID 3364 wrote to memory of 4652	3364	chrome.exe	92
PID 3364 wrote to memory of 4652	3364	chrome.exe	92
PID 3364 wrote to memory of 4652	3364	chrome.exe	92
PID 3364 wrote to memory of 4652	3364	chrome.exe	92
PID 3364 wrote to memory of 4652	3364	chrome.exe	92
PID 3364 wrote to memory of 4652	3364	chrome.exe	92
PID 3364 wrote to memory of 4652	3364	chrome.exe	92
PID 3364 wrote to memory of 4652	3364	chrome.exe	92
PID 3364 wrote to memory of 4652	3364	chrome.exe	92
PID 3364 wrote to memory of 4652	3364	chrome.exe	92
PID 3364 wrote to memory of 4652	3364	chrome.exe	92
PID 3364 wrote to memory of 4652	3364	chrome.exe	92
PID 3364 wrote to memory of 4652	3364	chrome.exe	92
PID 3364 wrote to memory of 4652	3364	chrome.exe	92
PID 3364 wrote to memory of 4652	3364	chrome.exe	92
PID 3364 wrote to memory of 4652	3364	chrome.exe	92
PID 3364 wrote to memory of 4652	3364	chrome.exe	92
PID 3364 wrote to memory of 4652	3364	chrome.exe	92
PID 3364 wrote to memory of 4652	3364	chrome.exe	92
PID 3364 wrote to memory of 4652	3364	chrome.exe	92
PID 3364 wrote to memory of 4652	3364	chrome.exe	92
PID 3364 wrote to memory of 4624	3364	chrome.exe	93
PID 3364 wrote to memory of 4624	3364	chrome.exe	93
PID 3364 wrote to memory of 2292	3364	chrome.exe	94
PID 3364 wrote to memory of 2292	3364	chrome.exe	94
PID 3364 wrote to memory of 2292	3364	chrome.exe	94
PID 3364 wrote to memory of 2292	3364	chrome.exe	94
PID 3364 wrote to memory of 2292	3364	chrome.exe	94
PID 3364 wrote to memory of 2292	3364	chrome.exe	94
PID 3364 wrote to memory of 2292	3364	chrome.exe	94
PID 3364 wrote to memory of 2292	3364	chrome.exe	94
PID 3364 wrote to memory of 2292	3364	chrome.exe	94
PID 3364 wrote to memory of 2292	3364	chrome.exe	94
PID 3364 wrote to memory of 2292	3364	chrome.exe	94
PID 3364 wrote to memory of 2292	3364	chrome.exe	94
PID 3364 wrote to memory of 2292	3364	chrome.exe	94
PID 3364 wrote to memory of 2292	3364	chrome.exe	94
PID 3364 wrote to memory of 2292	3364	chrome.exe	94
PID 3364 wrote to memory of 2292	3364	chrome.exe	94
PID 3364 wrote to memory of 2292	3364	chrome.exe	94
PID 3364 wrote to memory of 2292	3364	chrome.exe	94
PID 3364 wrote to memory of 2292	3364	chrome.exe	94
PID 3364 wrote to memory of 2292	3364	chrome.exe	94
PID 3364 wrote to memory of 2292	3364	chrome.exe	94
PID 3364 wrote to memory of 2292	3364	chrome.exe	94
PID 3364 wrote to memory of 2292	3364	chrome.exe	94
PID 3364 wrote to memory of 2292	3364	chrome.exe	94
PID 3364 wrote to memory of 2292	3364	chrome.exe	94

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-01_ef056cc71f25b9c93d8bb11ec041e89f_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2ac,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3364
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef993ab58,0x7ffef993ab68,0x7ffef993ab78
    3⤵
    PID:3680
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1896,i,12555245869795168906,664822593126383698,131072 /prefetch:2
    3⤵
    PID:4652
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1896,i,12555245869795168906,664822593126383698,131072 /prefetch:8
    3⤵
    PID:4624
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2216 --field-trial-handle=1896,i,12555245869795168906,664822593126383698,131072 /prefetch:8
    3⤵
    PID:2292
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1896,i,12555245869795168906,664822593126383698,131072 /prefetch:1
    3⤵
    PID:1516
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1896,i,12555245869795168906,664822593126383698,131072 /prefetch:1
    3⤵
    PID:1548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4304 --field-trial-handle=1896,i,12555245869795168906,664822593126383698,131072 /prefetch:1
    3⤵
    PID:448
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4404 --field-trial-handle=1896,i,12555245869795168906,664822593126383698,131072 /prefetch:8
    3⤵
    PID:1068
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4576 --field-trial-handle=1896,i,12555245869795168906,664822593126383698,131072 /prefetch:8
    3⤵
    PID:4496
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4596 --field-trial-handle=1896,i,12555245869795168906,664822593126383698,131072 /prefetch:8
    3⤵
    PID:1812
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4400 --field-trial-handle=1896,i,12555245869795168906,664822593126383698,131072 /prefetch:8
    3⤵
    PID:532
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4840 --field-trial-handle=1896,i,12555245869795168906,664822593126383698,131072 /prefetch:8
    3⤵
    PID:5292
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 --field-trial-handle=1896,i,12555245869795168906,664822593126383698,131072 /prefetch:8
    3⤵
    PID:5668
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:3716
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:6084
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5380
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5500
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 --field-trial-handle=1896,i,12555245869795168906,664822593126383698,131072 /prefetch:8
    3⤵
    PID:5608
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 --field-trial-handle=1896,i,12555245869795168906,664822593126383698,131072 /prefetch:8
    3⤵
    PID:6576
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 --field-trial-handle=1896,i,12555245869795168906,664822593126383698,131072 /prefetch:8
    3⤵
    PID:6584
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4520 --field-trial-handle=1896,i,12555245869795168906,664822593126383698,131072 /prefetch:8
    3⤵
    PID:6676
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4808 --field-trial-handle=1896,i,12555245869795168906,664822593126383698,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2056

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3260

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2240

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2328

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1344

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2644

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:512

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3220

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3556

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4448

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4032

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2284

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2964

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4580

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2260

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3580

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5188

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5268

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5456

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5572

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5704
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5820
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
103756b6264294d8437d509ef28a1d46

SHA1
2d80e57a54253aa8a0f8864e3b625bb592eb7c72

SHA256
627e9a964ca25fbbad761e8657077b894fe983fe7fcb9b801ea1a7b51b3a9f42

SHA512
af35ca837a4ecc68b117b8fad140abc0e901811ad673cc3d091bed8dfd80b570f557db79205d8e6e96d15cb0f072e4be309f87412f1fc5b4c580818b7a84622f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
42d50be1c858d227d0ae0efec6b66f61

SHA1
6c13d61e666377482dc15daee86f70f8443e4542

SHA256
39e30bcaefd60bd38c846b6f4a81bc865efe098516e33df91a0de0af5f1ff1f6

SHA512
b23816e0b9d8800640a805493df63bbf47fbbbd769a3545e7c9b53ef6ac4569bda3eb9f590fa9a2ac9fd1d6589e3625a279a160cc9b11c069edb0a8655af7614

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
8ee9e8abb0e93396d39aaf877a1d88a8

SHA1
0460b19e02fdd7c80f9012b2c8c41cb207f6c9a2

SHA256
885bfde38fe2d26e36e0a5ceaa07b8f4f251ec02939ff204b89461795e083683

SHA512
6ae6598c0ce3a911c90403961170cb3637f9314da598bb129f4b5542e96f7db9db489a9c28b653f591bbe7e5d148469f3bcc1bbc333c22dc4ccce3788c07e177

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
9f59fdda2decea2db184c4a75c51d338

SHA1
98c7e31cea702cc8be7a7b84db0d0230eea2ec8b

SHA256
40ca9ef10c80bd0bd711c522953577e660f1c423507f6f202597cc27ca975551

SHA512
928d48bc80e2bd2f178b39ab70c56068dde3b66e07fd9e857bf8a425e0fc986026cae22e2d01d5bcaf318b447ef23660443ae2a05807ce3632d98ff384c81c31

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
ae0c26e57d039c7302d1c841a48253cd

SHA1
2c618965bb15c402698c74d96d53cfbc18153d3f

SHA256
4a4e57801294265e12d39adcb446c53d67148596f994c2308d95e97dba75febe

SHA512
bee6b75fb152b4d160549481ed4b7a679e5194a2c8b5102a2153722b7ef4109b1ed3c03959a893a02aa7c0bd5f2b3170a4783c0cb7db719da1b0041b86e58666

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\6c642fa4-c09e-4a1c-8c4e-c42676b5d0b3.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\4540c747-fe28-47e7-b44d-3c511b11af5b.tmp

Filesize
91KB

MD5
7446f6e5078348e8b43f0751fe077645

SHA1
61b36fda4ce136f5204e8c14741a1e687d946e42

SHA256
9989aa69bfc646b69eb110c28dd1e7b2967d5ae5a60426ab4c8c6848498fcaa5

SHA512
aace55207b6886178aa45d096f13ba5795a55594adf346e456e87a71c41ae5ce41558155a03a0e2efcb66d7527f974d9199fa9bc8c61a9887f0529cab26cda9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
757f9692a70d6d6f226ba652bbcffe53

SHA1
771e76fc92d2bf676b3c8e3459ab1a2a1257ff5b

SHA256
d0c09cff1833071e93cda9a4b8141a154dba5964db2c6d773ea98625860d13ad

SHA512
79580dd7eb264967e0f97d0676ba2fcf0c99943681cad40e657e8e246df1b956f6daeb4585c5913ca3a93fdfd768933730a9a97a9018efa33c829ab1dea7a150

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
fae5e6e60f8f87116a1fa2a0bd3e0ac8

SHA1
d20d65a76722c186e88b0982d9b9da5ae45b3cb7

SHA256
300151167c686cea9b2933d6a537296875c72fcb1e069d2764433b97c9c39106

SHA512
9648f0f934b1b5ef4165b5feda307e7f2ec5ac3c7631867930774561e428cb30b0401d684ecce3a6ade996e974dcc5dd3c46ad46f37b46a8204ba40497fe3443

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
886122a534de8e83c21b444e649af785

SHA1
152c9e5df0901b911b38a10d90e0185a08a71759

SHA256
e07afce95a8c3b87783ef1ce8b3a6f089d7f08501473089419c329ae7e0093b2

SHA512
0485c65d8af357640aeea772c4a7d2b0ac49a572dd9e7bb2aa911bd7a3e357b8a7e692f4c69a6c51faf4244510c04c6367766de4bb3858013c6a9436a72e7b8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e22478e0bbf1b7c5489116a5801ed2a0

SHA1
28d2f40c4c8d50db00667dd7481954d3aba8e6b4

SHA256
e156b40a68bbc961b7702cb674ef9bfd60b911c1682e28f8d0e3a6081df68827

SHA512
5151c9facf6e56bf165102dec7f69dceee15a4accb7ab8dc95985ae4ed21524d2bf1d9258e3aead26f511daa3119cbe3f5ce9ee4a0ba2e9b4cbddc670e33630d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5770ac.TMP

Filesize
2KB

MD5
6c38709f2b92b4197d45f6df3df81cb9

SHA1
92d1adb3512f085dba8c03ea68d926704ebbbda3

SHA256
d5bb9e1c53b6d6dd67dcfdf3963d7d8b0dd3094ce6a86851e8b8ab7d3d6f235a

SHA512
3cc01f22a75c283dd55a4fc9b02211776bc1246ae7787ffeee21a25d0ea8ddaafbb70cbe8d0976356fcff59c9be8e9c178c15264d2a44df3653bb1e03fe41bf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
b6b9f8df876d3a0ff5b8db39f08215a9

SHA1
c75c2f6e8aa0bae9e4ba61f343460f8665a507ea

SHA256
a90d5690685e9d18d5cdbbf80c0bb74304390a3dc9d000b8028287c576ad737b

SHA512
6c5b307f9c85acc5fff8c222d835c105cc83f0c4e05769f6ab8f770b034c60791c5edce88e28ddeea757a1ce0347d2306d4dd148f20dabfca99ddfb17da4ee0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
6327b80d0d61ff378d6cec0e84b51b51

SHA1
be4f343807d51f0987d7f07bb4037b55d505c45b

SHA256
e0b420dda3e8f7790f6f81e5572d5e4297e8c69ef968d00a8d567938384febd4

SHA512
ffb053b265cd6090bc04ff60bedc49c06c0e03e800cb1b562119be5f83b644279bb15c8bcc29d25864dc2018cf8f3d6503e6ad5eeb5bb16eead70c8766d7078f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
294KB

MD5
3dd7a49cf50477496fd185420b704cb4

SHA1
64ac77118985ca4ff6770ff9a3d018327e9cac8d

SHA256
8e5be1fc24e156811e122abf7e1897e6461519c94915cc6770ed44ad61279a43

SHA512
461765b8226d9eaab0866e600b7742e2704bf710b64191c55d225dc69f1d1f833593f661bb3767803a01547665617a2e165226004b5a368f38dc5c6f375ec018

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
263KB

MD5
4e7619f3ca8af3e52c7723c049505a07

SHA1
fa7575b27c3e0576945bf6a2208a358f13830a2c

SHA256
5046315a60b603d0ab0fb50488aa32d23990d90db8dad290b31e19ea8b0693aa

SHA512
18cedd7cccea4334ca8deafd6ef4344de2ec7271062bc326d9fbe3137923c19b1ba51b7cae1b092a3769de1aa21ca96389d9496437e22e27b26d2a6c1dd3188e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
262KB

MD5
863fcfe825531890a4441221802bd019

SHA1
5f9ee033d192dd579c5f77b3fff2699dd2b796b0

SHA256
b93a707aef1d9881ece762b5b3f8df31e6d09ffa42680e147a364c765a58222c

SHA512
4798f8c430554befb302a72bf0293923496f698c00ac8429be20d09053716ddd24f7b41dff2f5a63765b63431946a5f5cb7271fd82a0a62fd73cc25095f06f45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57e61a.TMP

Filesize
88KB

MD5
8909b60ca18878eb91b1fb4a331fe525

SHA1
b5bf47d5e64892655ca9b852fb45e2486d77aeaf

SHA256
62920202c6d0c1e19a9e0c682245aaa1381c8e15a1c0f6adc95eb4c3e016904c

SHA512
4e575c6f64e93614b76672030b8ee5aec13a624875c112f6ba776ef9140dc32b8e5f934a39e07b7357e5a5471ff956933f424577fd747a261f5349d3b435003e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
68e98e29115eaa661b25b89f6654c4a1

SHA1
c8548f274fb95e370c17cd3f7c3550c236b8beec

SHA256
3aa64500176e34979b1480ff9b729a788151a27552db4f9142c4770590ae0d00

SHA512
3f469c3f0d2ed8ed157252ecc502d009a719781cd6268b8519d7ce064179de93bfb468b28fa9c6bcadeeaaccdd5e129b7414b8b86e40326dea1be4c890608321

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
3e6b31c030b85a9d94fcab3de3bc888a

SHA1
fc69c0548506ec957b3fd323ceefe3da83173910

SHA256
556097529237682648c02afd931221199bef6e305031d7a7429d891acb808bac

SHA512
536c5f296c5af8daabb2fad565e80a52321f8013cc7cf0644cd4a8b15e546f6180ab0f7cd8bdd6a79e16d0bdc3504025ebeb578f8bf2465d76c6a19e1e4fef6d

Download Submit
C:\Users\Admin\AppData\Roaming\a75eb026c3136770.bin

Filesize
12KB

MD5
2eb959e55814bfb5eb360a033a0a6c42

SHA1
422ae78f3b770025f3a4eb447a7227cbbcbfd915

SHA256
522a151dd1e82808745e6a72b6e822ce6114b43411d706b17ec1cd9db5a5a477

SHA512
7dd8b2a58d8c00c5cd7e157f8e055c14c2a88b1602e82005daa30cda39a15b906bc07c01361226e75cd9372b25be2795456f6f2e4439f415660da98ae1d587ea

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
f43e240ca897b1cba5b5265898269071

SHA1
424e33da93013360a1a13e04c6ed5c602372c9cd

SHA256
09c661775a367ee84e0ac285219bb94236ef7477d36cc6f43bde6cb5dfafe883

SHA512
f83daefe01bf05d4aed369f547965133ec50f4bb103ffddc62ec1444b16c7eaad833b6f6433565eb1d352d40c583c0840a19033b14ac5ef744b19ecf70c77695

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7dbe703ff5f3287517d98b2702d49084

SHA1
11350773eb922277ce14f00505fb81849b08de08

SHA256
c0059924e50ce5c07de051d10256ecacb8482103ba4d7662d768cc24edd78322

SHA512
33b2ea0433bf04b0a451478d123b191883f6fdb08202c5abdfc2fea1362e5bdb22dec95d3e510dc8dfffc109a0d3477b1bff0ef3e1189ac309505e45ef6a8265

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
50c3cd6c93f53a4bf09620fdaba8d216

SHA1
aa2be37aac4eac87bfd9e8b5556e7b717b36bea2

SHA256
e832582bd1a2d800eb434c6235f199094522aeff7372fd388165115b3c008391

SHA512
ceed8c2381a1c263754e7f4d1696843e0bb26bc3a85b942f747cdff93d0e0419dedfc8742d27aa7fadfd742dca4bca596577a39f995b3169b3eccc161d899bc1

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
58383a128554fd5ec19e173a152218fa

SHA1
fbebe6224b77a144dbd68917177c589a02b3c88e

SHA256
ac85d0828f2a32d9779ddefb4d8118f4cd1e42ab73c6635d5f34b7c54ec3730b

SHA512
c0df0fd83b1e8b8ee8e5c936407518868c93c05ace56fe63e688e2407ddb5987d19c0adebf40b62abcacf63de7c154fe9891bb3d177abda7fdde3fd850aa9d90

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
3b7bacd1fe51fda1c4c8dc76985f6d9e

SHA1
79258fe57826a0bfa422575903e0fa96f3e38a79

SHA256
ea482d5525b03ffda636d56285e418d3f3dce9f670b622ea075bf83c4e2651ff

SHA512
e11a481ef3327e7fb8b8888fbaf326b546e2835761641d37a5021a7041adc71d5bc044074dc96bc6b4761394194d32cf419c6a143c7e4030306ea72823462011

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
665720bfea83c49f0cf023a37bdd1c96

SHA1
c4c623233595949f5dfa76430390fb449a92227c

SHA256
410cc0a9c3d1835273e71c4e478124cabf3c5a5b4f3eca2cac31959015558c01

SHA512
ae75e71389f1daf8a21754355fb0d962e1920b0c52f132a7279ee38fc7b93c672145957cbdbf6f49db6f3b32eaa25c35f313d0d067dd50079c73d37f64aaed0c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
39a669e7c759e3de240414787681fd0a

SHA1
de9562a41078d9fd9b0d30bd43dc0227382ba557

SHA256
569d9c9ac4e5deb6fa6b058f28cd493a644af7eea564afc82640da6c8ae810e4

SHA512
8683387f9a4a31bf85f0bf48936ac86fd19ba80909b6f5f2b72beb6148a583cee0a82f7c0610eab9431a32ab70a3520112f543326d02ed1f06ee635a502fbe76

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
19f0d01c94dd634bae9674b6de78defb

SHA1
a7c17c452c8339c5e2187fdb5559f6bad9d23b54

SHA256
ff56810731729bd5a50583f6e719f8542af5ae1c5f4d2db06929731d13a304ad

SHA512
3f260e9d066c79a5bc9211fe095eea07733dd2bafcd1ea18e94018806d3fff04b28bf2f662a18aa5348066b1654a7bffeed8730124d7dffb43ff46566464f59a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5b4095911a39e8fb45a8a82ad741fac9

SHA1
8ef5a102e68cec51cc6f0398ed33e89262e8d8ed

SHA256
1c169bfea7d39eb71a82c0b49411f88d758ca32428de262181b2dd90162c817b

SHA512
0605a00d32ad138bf8081e91826675236ade55ca5588ef9c80fda96d691ecb2ab5dd7ad162e5622a3928b3ec359342750f93f8fbe06d1f71cfdc3972847b8cab

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
4749113b966a264ea3e7a40e8a5a9a94

SHA1
1b3f68ed9da6067cb7d5acb18aa140debae01015

SHA256
ef9663441168c51cb6bf3fb00298c2ac7c61caf75fdc2c34e89f16e7e1034436

SHA512
e692f6f4ea89427e34b546be7d5ff4ffc66bba29ba7e266e0226fc4998b558ab37e5c0fe2662a79af0d8a1645ec12e576643cc0b9831b07fc71c453fefc7f86e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
5d151f9d89037bee2896204638b0b2c1

SHA1
dbdba3c83bba00adb8f7ce9f6ea418b91c1b4280

SHA256
391aec2b8cfe465ed115cc0487acf4208b25ff15c6f9dc47b4f6cea5ff7f5fdf

SHA512
44d527717254594f97593adec9c16a81d84d7ef8b48d4570d3c492f1003158c9fc740ac5e7b36e1cd40c58363382ae79fec26ce979354ee0990418bcc22014c0

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
1e75020a808c52c92ff6cdf58d68b1d9

SHA1
2d94561a24c6f893fe3a517fa0f4c3411355e874

SHA256
d668c195d808d9939f9af5826d4f39f14108939495f9a4e5d1eb2063b14c027c

SHA512
ab7fb803a156afbbdd154d341c9b0aa3a71e872c1079c681ff3b0800e88acb985b02430efc991c35a78dad9c3cc6a625943f97871576d40f772c9bcf424a8fee

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
d0fc094c5e0cd8037ad1ed6f0dd15cb5

SHA1
4c5abea6959f932f66aafeea92b9f8380a9f57e3

SHA256
bc1a10e6cb2c152db27a4a333aac0d86cce1034a62513ea2475b5dbb4b0da226

SHA512
224dbbaf2106ea1947ec4f51dac46ff40d18b4cd7c00c289d2845c7732cdf01f8dca16a227cdfadf8f4872af64b33910f36c5c6f7d1cbb93b582f11cb775ad97

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
4f42bedccd290047dcfe428ac085aeed

SHA1
2fc34aa3dfff35ee0e845f7444d5ef2b8da41502

SHA256
316a27c7df6338373d88d160679761a39e3de50d22a11ea44dbf419c5c4c3245

SHA512
a30b3c86b38f05a0fffa49c3e1d4fef61211aab35007e5f164f058ee03b9cd9b9795199bbf605ac2c0592ad96986512c862ce98da258a875985f03e2479269cf

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
0b79b7a684d2f819b1040a1f1cf34732

SHA1
3763c213ab0b2fd0d35eb85a14c3b0fe5f7be5c2

SHA256
df5561a891f7f8b00819f327078ae443e8b22508370f2335d23611aab8cd8eff

SHA512
35cb0825ed91218e378d69d838ef97f404c00b8d087e4b1c8369b65018ad556b2a39be07edd077eb7c3a6c06d4e84ec57ca88ad28f7c69c265a8f14eee01cfc6

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
85742e02916ed30ba837a22120e551a3

SHA1
bf6d6c584e8cd683168fd61dbc896c759db23680

SHA256
e5a9d887f3903ed236110399601d6331cbc6a1e7cec100b740926a8092599a53

SHA512
2e8c6abaff948c192c5ffd0aa7b16a7e87460df43184f3738013354a48be73494a9be32640ed50d4b164e0f7420c387157f0e7779c88367c9b3b551e5ccd5429

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
0a790b21f6c63db57bbd9327e7229e8f

SHA1
903ee6756ea282262622be4b7f79a96df2fcec9b

SHA256
f4dc3469ab3a5fa189cc9a43383f902407ad5a348801be72064bdd800d34ad19

SHA512
64ce700272f1200fe9bfa2a00b604bdd86e958f87b1e49f13d0003d8a4b6a37a31b23df395fc4e13fac2343b51e105c0ac2af717208f0b9b7462f11435847821

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
349146292e3ec976bb46d9e56534b55b

SHA1
6eaed8606ada0874a247b8baf879091d25145b15

SHA256
acdb5ab506648b43be0fdb7162821b4c945c7e92f91824cf8d1c348dc9d5e682

SHA512
a6a16eafac386c08c480ae0abfeb62c8c484891e8a037ae9edf364291669128fdd927e2ee9a93e0088ca4cab13e3c9be255fc2c4d80e021c82a0942e03845fc8

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
8323eb783d4b3475bc1107f7b22fe30a

SHA1
8b61ba2d4ceddcce64913e45b0b3aaedba641153

SHA256
b04e4a8229ad76f418899a184586a34f1da04653efdd8f0386b76fe7282bd7c4

SHA512
a6e5fa59549dd9f848741b7c5e0e99e3efd1ac639e61a1a430fe7a62e6f13bf625fc22d619b29e9319f0bddd46eda6bd61057d4afcde7c846a72bf6e4ef79972

Download Submit
memory/512-114-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/512-117-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/512-128-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1344-131-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1344-75-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1344-77-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1344-69-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1844-293-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1844-297-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2240-53-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2240-45-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2240-54-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2260-530-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2260-242-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2284-212-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2284-341-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2644-104-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2644-254-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2644-98-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2644-96-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2964-349-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2964-225-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2964-658-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2992-59-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2992-65-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2992-79-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2992-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2992-81-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3172-535-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3172-255-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3220-146-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3260-40-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3260-180-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3260-32-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3260-31-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3556-150-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3556-299-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3716-588-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3716-514-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4032-181-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4032-323-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4264-164-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4264-21-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4264-18-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4264-12-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4448-173-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4448-311-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4496-559-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4496-282-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4580-509-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4580-231-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5036-0-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/5036-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5036-9-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/5036-27-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5036-22-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/5188-300-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5188-707-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5268-319-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5268-715-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5380-577-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5380-547-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5456-718-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5456-324-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5500-726-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5500-565-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5572-719-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5572-342-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5704-720-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5704-350-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/6084-721-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6084-531-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download