17b9cda5c123d585b2db6e59418a633820292e9fad18600f5d0a12292392a88d

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2024 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
Size

5.5MB
MD5

011909c4cb54523b58040e687195ceeb
SHA1

6411e66209d64c057dd4cd67f05dcd4f24282a3a
SHA256

17b9cda5c123d585b2db6e59418a633820292e9fad18600f5d0a12292392a88d
SHA512

0cbc51de3e4333b536f8df11f002d5f7f348ded735b92a07cb571b859f433582469a0ed754d67b276ee306f2658a14ae43c9d3f269b67a2f6eb8af45a4dfda55
SSDEEP

49152:CEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1bn9tJEUxDG0BYYrLA50IHLGfV:IAI5pAdV9n9tbnR1VgBVmiTjYvH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2648	alg.exe
2700	DiagnosticsHub.StandardCollector.Service.exe
3436	elevation_service.exe
2232	elevation_service.exe
3352	maintenanceservice.exe
4912	OSE.EXE
3868	chrmstp.exe
684	chrmstp.exe
5056	chrmstp.exe
2088	chrmstp.exe
5352	fxssvc.exe
5456	msdtc.exe
1880	PerceptionSimulationService.exe
5564	perfhost.exe
400	locator.exe
5640	SensorDataService.exe
4868	snmptrap.exe
5748	spectrum.exe
5816	ssh-agent.exe
5960	TieringEngineService.exe
2756	AgentService.exe
5064	vds.exe
6084	vssvc.exe
1268	wbengine.exe
3428	WmiApSrv.exe
5024	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1a8da2de1ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fac8662c68b7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002cde3b2c68b7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000032c7852c68b7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a53512c68b7da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f551702c68b7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a40c4e2d68b7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b1b8152c68b7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133620796187482550"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f7b4722c68b7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005eb7342c68b7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
680	chrome.exe
680	chrome.exe
5288	chrome.exe
5288	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
680	chrome.exe
680	chrome.exe
680	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4612	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeCreatePagefilePrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeCreatePagefilePrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeCreatePagefilePrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeCreatePagefilePrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeCreatePagefilePrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeCreatePagefilePrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeCreatePagefilePrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeCreatePagefilePrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeCreatePagefilePrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeCreatePagefilePrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeCreatePagefilePrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeCreatePagefilePrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeCreatePagefilePrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeCreatePagefilePrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeCreatePagefilePrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeCreatePagefilePrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeCreatePagefilePrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeCreatePagefilePrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeCreatePagefilePrivilege	680	chrome.exe
Token: SeDebugPrivilege	2648	alg.exe
Token: SeDebugPrivilege	2648	alg.exe
Token: SeDebugPrivilege	2648	alg.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeCreatePagefilePrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeCreatePagefilePrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeCreatePagefilePrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeCreatePagefilePrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeCreatePagefilePrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeCreatePagefilePrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeCreatePagefilePrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeCreatePagefilePrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeCreatePagefilePrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeCreatePagefilePrivilege	680	chrome.exe
Token: SeShutdownPrivilege	680	chrome.exe
Token: SeCreatePagefilePrivilege	680	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
680	chrome.exe
680	chrome.exe
680	chrome.exe
5056	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 2844	4612	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe	83
PID 4612 wrote to memory of 2844	4612	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe	83
PID 4612 wrote to memory of 680	4612	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe	85
PID 4612 wrote to memory of 680	4612	2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe	85
PID 680 wrote to memory of 4956	680	chrome.exe	86
PID 680 wrote to memory of 4956	680	chrome.exe	86
PID 680 wrote to memory of 1004	680	chrome.exe	92
PID 680 wrote to memory of 1004	680	chrome.exe	92
PID 680 wrote to memory of 1004	680	chrome.exe	92
PID 680 wrote to memory of 1004	680	chrome.exe	92
PID 680 wrote to memory of 1004	680	chrome.exe	92
PID 680 wrote to memory of 1004	680	chrome.exe	92
PID 680 wrote to memory of 1004	680	chrome.exe	92
PID 680 wrote to memory of 1004	680	chrome.exe	92
PID 680 wrote to memory of 1004	680	chrome.exe	92
PID 680 wrote to memory of 1004	680	chrome.exe	92
PID 680 wrote to memory of 1004	680	chrome.exe	92
PID 680 wrote to memory of 1004	680	chrome.exe	92
PID 680 wrote to memory of 1004	680	chrome.exe	92
PID 680 wrote to memory of 1004	680	chrome.exe	92
PID 680 wrote to memory of 1004	680	chrome.exe	92
PID 680 wrote to memory of 1004	680	chrome.exe	92
PID 680 wrote to memory of 1004	680	chrome.exe	92
PID 680 wrote to memory of 1004	680	chrome.exe	92
PID 680 wrote to memory of 1004	680	chrome.exe	92
PID 680 wrote to memory of 1004	680	chrome.exe	92
PID 680 wrote to memory of 1004	680	chrome.exe	92
PID 680 wrote to memory of 1004	680	chrome.exe	92
PID 680 wrote to memory of 1004	680	chrome.exe	92
PID 680 wrote to memory of 1004	680	chrome.exe	92
PID 680 wrote to memory of 1004	680	chrome.exe	92
PID 680 wrote to memory of 1004	680	chrome.exe	92
PID 680 wrote to memory of 1004	680	chrome.exe	92
PID 680 wrote to memory of 1004	680	chrome.exe	92
PID 680 wrote to memory of 1004	680	chrome.exe	92
PID 680 wrote to memory of 1004	680	chrome.exe	92
PID 680 wrote to memory of 1004	680	chrome.exe	92
PID 680 wrote to memory of 4708	680	chrome.exe	93
PID 680 wrote to memory of 4708	680	chrome.exe	93
PID 680 wrote to memory of 1044	680	chrome.exe	94
PID 680 wrote to memory of 1044	680	chrome.exe	94
PID 680 wrote to memory of 1044	680	chrome.exe	94
PID 680 wrote to memory of 1044	680	chrome.exe	94
PID 680 wrote to memory of 1044	680	chrome.exe	94
PID 680 wrote to memory of 1044	680	chrome.exe	94
PID 680 wrote to memory of 1044	680	chrome.exe	94
PID 680 wrote to memory of 1044	680	chrome.exe	94
PID 680 wrote to memory of 1044	680	chrome.exe	94
PID 680 wrote to memory of 1044	680	chrome.exe	94
PID 680 wrote to memory of 1044	680	chrome.exe	94
PID 680 wrote to memory of 1044	680	chrome.exe	94
PID 680 wrote to memory of 1044	680	chrome.exe	94
PID 680 wrote to memory of 1044	680	chrome.exe	94
PID 680 wrote to memory of 1044	680	chrome.exe	94
PID 680 wrote to memory of 1044	680	chrome.exe	94
PID 680 wrote to memory of 1044	680	chrome.exe	94
PID 680 wrote to memory of 1044	680	chrome.exe	94
PID 680 wrote to memory of 1044	680	chrome.exe	94
PID 680 wrote to memory of 1044	680	chrome.exe	94
PID 680 wrote to memory of 1044	680	chrome.exe	94
PID 680 wrote to memory of 1044	680	chrome.exe	94
PID 680 wrote to memory of 1044	680	chrome.exe	94
PID 680 wrote to memory of 1044	680	chrome.exe	94
PID 680 wrote to memory of 1044	680	chrome.exe	94

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Users\Admin\AppData\Local\Temp\2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-05_011909c4cb54523b58040e687195ceeb_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:2844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:680
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb2a33ab58,0x7ffb2a33ab68,0x7ffb2a33ab78
    3⤵
    PID:4956
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1908,i,13395818702195665715,13981538990921911466,131072 /prefetch:2
    3⤵
    PID:1004
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1908,i,13395818702195665715,13981538990921911466,131072 /prefetch:8
    3⤵
    PID:4708
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2192 --field-trial-handle=1908,i,13395818702195665715,13981538990921911466,131072 /prefetch:8
    3⤵
    PID:1044
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1908,i,13395818702195665715,13981538990921911466,131072 /prefetch:1
    3⤵
    PID:3564
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3048 --field-trial-handle=1908,i,13395818702195665715,13981538990921911466,131072 /prefetch:1
    3⤵
    PID:2228
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4268 --field-trial-handle=1908,i,13395818702195665715,13981538990921911466,131072 /prefetch:1
    3⤵
    PID:1916
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4428 --field-trial-handle=1908,i,13395818702195665715,13981538990921911466,131072 /prefetch:8
    3⤵
    PID:2264
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4568 --field-trial-handle=1908,i,13395818702195665715,13981538990921911466,131072 /prefetch:8
    3⤵
    PID:4792
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4444 --field-trial-handle=1908,i,13395818702195665715,13981538990921911466,131072 /prefetch:8
    3⤵
    PID:5072
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4436 --field-trial-handle=1908,i,13395818702195665715,13981538990921911466,131072 /prefetch:8
    3⤵
    PID:2772
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:3868
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x280,0x278,0x27c,0x274,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:684
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5056
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:2088
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 --field-trial-handle=1908,i,13395818702195665715,13981538990921911466,131072 /prefetch:8
    3⤵
    PID:3980
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1008 --field-trial-handle=1908,i,13395818702195665715,13981538990921911466,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5288

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2700

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3436

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2232

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3352

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5344

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5352

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5456

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1880

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5564

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:400

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5640

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4868

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5748

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5836

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:5960

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
PID:2756

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5064

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
PID:6084

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
PID:1268

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3428

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
PID:5024
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1832
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
df765ab41b72c1b5dfb67113011c0fc5

SHA1
14f76b292168b4d65c8915a69122a69f1df03eb6

SHA256
a5ef4fa8f49d3a99fa61efde85a2bdaada7555bd296d9323caae58bfe8ef7a70

SHA512
b2666b38cf1a76b4365af4abb73c2c862bd9119fe57f32b62183a3a1cb08de5c2f54231a025ca6696c5343700f35cdd845f462996fe977c74b7f4be43c26a636

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
641132df3377f4527e7acec4271f9a0e

SHA1
87b44c611b693a8cdfda71ee0fb17f48678272ed

SHA256
6dcae0fa7302f896dd7b0a8ae55108f81144f74a6982de9c6caeca19f8983684

SHA512
f9279a515ff021fc6da1f6cef44870318b2935e27851ee6a9ea2f791a71aedce241b839d6432cb6eddefe8601d0201635e709474924850a10b21f8d1fc8115a7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
27f16bd603f595a964982ac8d287ff76

SHA1
f815f98465cdd35193dd7542db232ab65d7c7792

SHA256
07525bc8241e689b5f2cefd68834d73f7b83479f3d18f4c9bacfd7b6744cb37f

SHA512
d77761f6cb6e94fadf06ee8f0bb673824dda24ad14a9b8cd70c1e51bcef67fb618b682eb7e4c9229e0f46cdda6dcd40771987dccd90f27958eb612f63ccfbeee

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c908f3feaa2415ec0762e29ff4640516

SHA1
687e538d39f5913e8073265d5319e23ddd623b1b

SHA256
1b00f0a7d0352f48af29d7d22c7aeb2ce5cbfcb1f0c8bd2a8456c46e74f56f4a

SHA512
0648bab2af2ac5916c1d54b00a126877577ba6b8b5b8d97c678e7df3eaf62cad77cda5d9e542bb0936a2e2ee33ba2588fe2667f97fafb473adf462e29adfb41b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
1aac335a533e285690196c1d919cc344

SHA1
9ccaa118c2be7f61cedd064f07c75f97deb45711

SHA256
9bc2471797a3f58734c86a35f8e20d8ca1ddebd237fb19d2e4ad26d50f376137

SHA512
cdd696b3b878cf2ddf396c9429b4ff73f9a58690139378ba01e7e4ae9b9726548d1b675bc6937dabcbe0c551b1442424fe0069b643a5893e6e45701041a82b7a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
bd733ded3db1a975a3571b1dbbc3f41c

SHA1
9676150bd4f4d50be2a36c0861691aefb2bc740c

SHA256
b5e2bf4a78c4d9daab631eb2dc1fdcbe26c05d1cf9a6efbde59ae5d3ad168a44

SHA512
029a3209a2fccc69e37dddd9f78e61a45127bb763d3aa12512fc3c8572a6747fa7ab440fca46f80fe1b8c00b904ac8d880d3f6a9f1fef0e5ca37f707d83b8cdd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
86a90212c3a02e21e772d24b9f2dabb0

SHA1
a9fcf730fe225c95ae3ccd1acc1bdd5a91df4c9d

SHA256
fd3017bdca4972d216323b92c6e9ff9f6b1f97494edfcf614d3ef25ad1b4d522

SHA512
258547f0fe2f0ede2252ff1d456c4660c8cf2907369c709da126ead99eb07297ae811361da616b1e802554e6313c4554f0ef646b65d1ae5533b70fe09c948afa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a85e18aa4e75c86b57456d485bee14f9

SHA1
a0f28bf03113fe49a4a8527cf2dc5f81f79d7de9

SHA256
705f070cda083c34ce16a8862430fd81ada70a9c553545f8d78ed4ee200b4576

SHA512
686fb85db2a3a3c0a9b09abce40656be6927dfeed8aa152fe66e875d351ed8d64d29d543dbcaac83344198b3be57314621496702b454e58817e82b238ff7803e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
c6c543d478062b257df5eeeb3cdf7807

SHA1
a80bdc5e306cdab003d2dade37c70c3156c2a7e7

SHA256
8cb76ac8a1437abd32553e4e35035ef70862412a2ba5f41b436d24bed40ffef1

SHA512
f4004917e7158c39f3264450827a43c7bec7e2ed03c895c2d9c35ec250fc0c1ed0038f975779991f4ed8cad79cd94cb168fbe3765d2ffb652f7471576668f6c2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b15d25e62d1df00a14e3248df13ced9e

SHA1
219babab101eb0b18bb73e5a2f7d02ca5aafe616

SHA256
5d41994de823bb6140d9ce22ea623d5b274102fbfde5e148330407c332755c92

SHA512
a91936ec52d4ce950cd33822ca3f4fc5e5e25eb36d1ca1b54c71b437a54986ceb76fa624fb2255477a43aa75adf93ec6daf0258a08a7a725a2d6682f2cbf22bc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
b8147ab3aaf202e0d9f64046c54bcfba

SHA1
9585bf4438fa63a82f922ccce5b06efc18fef75f

SHA256
7cfee0a2a7632b13bd82a736a7681db2e2107edd37091ad090494e93f5c73a5b

SHA512
0586d7e48fccfa40d35a40716cd9dd9a5cf02cc6fd647c463b6e07c3b616454ef69746c5ef67f9b99ce66b39a2cc40f921004852a5b5bb2a3217af4577f48ad6

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
8a1c3957a16666f5bcb195eb5d5c743d

SHA1
e6067ef04083384fb197dec301cb1beb9aad17fe

SHA256
ea1b91caf9bcfbd1fb28cd4f4a8a213e1af819147886b0195d88f5596356e636

SHA512
f58aa680459fe9523533aa5cc8fce8265977fd3b33708b01f7a5cc5cee598cdce7cbe46bf59ab5534b04557afd7d54c61a29316a2a88edb40a4c3041ea6bda64

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
9ab8dbec0eeb60310e9b2be4d84dc61d

SHA1
69c55e6b1ce64cf5f2aed1ac7c06ba1d4d54095c

SHA256
e83859b7d65691345b8496b82cadc9480dbe4eef0b5a30a3614937f9a86386fe

SHA512
221168864d96576e970ae9c9b1855833245ede47d315e08b6fad623693aaf37ff7ba8e4282dbd8296dc62cfbb80210b4abd28ee7c62a241dca9130afc08c2a3b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
e1f883684cb015698ba1c6755121dd73

SHA1
9ea880ff6c73bc0c598a8c0b8c27028bbd08507f

SHA256
17bddf83c1fb1e08d8239c10745aa3e780a76ec6b4c8558c1a94c4540d943066

SHA512
641a3eb8d5a382eeff3d47c2994eb4c154489e158fcf7c3c2c7ac35838a1fad5abd5adc764542f610bb0861f284164b5e1a57564dd81014cdbeecfd3b8a87b36

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
ffc6000fad0d054a31759a47d02ab5cf

SHA1
611cc4f6661094e79419132932cd08180d1e200d

SHA256
1e1b61c9846ab7f3f10871576c6220d71ba4ca6416930f99a9357cabda7f09df

SHA512
6cb611ad0ff5e8656dbd046736ff44ee6369b5aaeaf5360b1c9d3dabf3dd101603355d07622e207e37c50d1d90b9ed516136d440203c86e20a6c9ae8140148a4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
9a729a6b9180680ebe02eb87542f2ee6

SHA1
59f8abf24de84dfb891436432596877838712720

SHA256
1b12d72bb42cecbc4d86010dddd34fc427bc14e35cb3b7383114ef9235ab0f73

SHA512
11c6594d7c15983951ffaa16054a458f0a8863c9f170b08b57a8841a164898cf9ff32d3f13a69a98657da801ea17a978c437061be038ac5624ec1c52f26ba632

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
e4cc3f376a0c10410ab7bd6c3b33736b

SHA1
5024e459dd766a93aa715b2de7a8df798dff914e

SHA256
71ccb48a5ce2679084a5bc32269320a3f92980919af526256b6cf3beff98eb5c

SHA512
ba8224cb64e69511eb1dabfce515700a1e673501c85b54afb4e407ac9b10b8042cfb762ca5b39a5cfac3697ed0cb8e6ab97ecb2437a77be08f75e22b1e997dfc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
3af9493ac2dbfcbf377361778f058a41

SHA1
7a1a5369fa03263b6f343df63d93f54763ddec03

SHA256
3fc5bc425f3aa0130544c19c976dba55f5ca614dc7934d1f9c30b99b60065358

SHA512
fa03f880da7052bd4824d541a43c55da0e43cf2e6346891cf583236c0d4a3c03be0cc79d9521f8a2199228db7d6efcfcc680cebda6c1b608685a8ff3edc38e9d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
9bfb4c17136be0ed7101b7324a6f2aa7

SHA1
21ab923fed53e3a39877adcb99f79a26fc24ce7d

SHA256
4ae80a5c1b753617534d5b7c71b860615019d7d11dda7bbb0c17c7459d3b70f9

SHA512
77fcc6f8cc96523b409b3a5366f943a00ec6e77c54cdc777aa84db0352aee99d16f36a8edef59255bf8becc921ac9ce9fd08dd8f06a5af3d61ec18eefcb0bf7d

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\4a0f66b3-8623-4217-8fdd-bd38582620b6.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
f14ea860483d21c44d671814339a4808

SHA1
3cf0587c4873fa9eb289b57dcbd64b9550da0f93

SHA256
21fb7652c7374847e90cd67ef063b96e96ee7e75b84d1da15f6657bb7125df21

SHA512
dc4a0dbebcdc7a45ba21b378f7669a7d283a583acd14a4f964236ecee48d4860666f8dafda7338c986abaf653cc4849aee1dd04591aae4c7cb3518c75d4e9376

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
0cd429098412849541cb95afaf497de7

SHA1
34fcdc8c1708981ab8e69a9ccc50ab898d7f7df3

SHA256
d987cb1f82d1cfa20deebd5947b3ce1b9ae9ca25cb7df736727c507a3a17700a

SHA512
955809ff9150048d9b739222dfe4c1cc7b4f330cab2858b74ba1b8af8514f1d97268812c0ef81a3d926c9928fab845515a0fbd834a8dd1d0db39359001ce5f03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
48455731c5c9eeb64d44305036cf024d

SHA1
af260fdb23816d336782d452871a3df794f2f491

SHA256
b6bde99eed4da77d9ed99f302f6a563fc6a29e96ef078e740fb4e070b47b36b3

SHA512
516c679772cd8fbcd0653cee4afe1bfe3b71bfd4ae41556abc172f0a0d5f9780687d328a9903d2d16eac6f239eed4631b1c91db5c7e8c7f3aec8e0881369e716

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
0d89ab5b44507be5fa36220bc87e9ab1

SHA1
26a8619118899bf4a299f69b14d865bab598d442

SHA256
2a2631ab9e0c69f5f8fe4894cb08352c638e039b916d797674906995114d6669

SHA512
d2ccd2802acbde7db8f1887663a3d9200e4e0f5f2ae662874414b6b262da682517fb494eefa3afa0aeb142a5c76cd22752c020fb5b9cddc6e2e9ace5256dc598

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
09098c0009dfd99750ae0773a918bf78

SHA1
357708b26fd4d75695d3d86fcb5428dab13565d8

SHA256
cb7670cf6064039d5a2d26038e40d199fadf4e1206bf6e8901800cb082c92991

SHA512
3c1f8412125d7d1098b2c37ee3828eb7c1aefd2d1e2ad7409f5139e20f574842fbef8d30e35833ff508921f6240819a1e7ede52521fc777ab66f3c9e3723b72f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5775cc.TMP

Filesize
2KB

MD5
411ac782e18a3f8947b5bbdc13773829

SHA1
d9a709bb6b79ade9df4024e8fb6e36190070bc21

SHA256
0217b1195d87db614149675e331d00b581206641c58f6c7cd8cadb92e718f8cb

SHA512
03cff6f4f72f375b34a35df614de1c0837ec423b3b232e5b863a2d85ccb2f2bc025d1954ae0ba9d117930a84e7fd1b44bc82b488e5acd58370c36e9c24717d5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
9611f75e5dcd5ded0312f9337934fbe8

SHA1
a57e200893602d89ef7a55b3bfa6b57bdf0cd67f

SHA256
d53b0bba61c928e2991fef41443c5a08dd1578868d1f43a7d8bdebf1fdf2f2a8

SHA512
fdee6ecdb2d59afe15c94083238727a33c49a074ca2e63da2b376f44c63414204a0d6d20a24cf8868ce87a20d0696f7395c7591ba52a5f15a48f67a3ea42bb1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
261KB

MD5
102b8629ab04624beb435b280ec93566

SHA1
eff88fda09b8b45f960f2e67236aa9f414f6d635

SHA256
3c29f236a1db9ceb9f680e622939a92c7eba423ab4224b9726cab4a2c829825f

SHA512
be38fe5abf9dabec551ce2f259d283ebc46f66436077c9bc7052617c8ad2e1ab0dab39212b47969e36e6b92da50bcaac9c8a5dcbcb91cc908b5f3860e80290e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
59a7cf4028ef61f0554b18b6fe9fc5c6

SHA1
2a3a74e21327270a55e095e2430fac9f9bd5b00f

SHA256
f21b630a4da2caf883d409750e9cc51b208cbbfbbe1b9f95014e23e8c81f0b5b

SHA512
92a3360bcb2f7f1b83adcaea463bdf726dc140b06bdce45352b4a9a3d6e62002fcd87fd2db8d4b0d24246275973f36cc9c17cadf20edf62141061c5319609cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
fce689f6683444b6d9c087f4aeba7cca

SHA1
eb0aaab7d8c9e45433f8fde8cdbcf63730f49a87

SHA256
12b9fd4a5bbe83b73b2e2e9cdabebea4f2f2fd6d5eeb2b8bcb219e7421b21898

SHA512
8345ada3551d98d9f03c45d5493f6ec89eb7abc99a925d1cdf618de51134686a90586eb35be0a7ab90b380c4f4ace1f06cfe84ad90b8d0253c12b20335ec67e0

Download Submit
C:\Users\Admin\AppData\Roaming\1a8da2de1ed82f9f.bin

Filesize
12KB

MD5
fbe17adcc48ea342fee9fe81bc1d45f5

SHA1
5374ec56ea05db3dffc2351e79de86f500095c8d

SHA256
387788a6dd7fe97f980ef9e94db1c7826ef919421799ecb10241129491e2159c

SHA512
d138c861766b3ce730aaa3dfc0eed4c546441e5214f7d37e5a5767dcdf80b79e3a7c615d0d50fac1505752c47ccd716741550fd04f5ca6bf54d96c0cdf87faa0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
372978bcf778967a404104877265c692

SHA1
85abd1e28448ced3c500bb9924d1db27ac380499

SHA256
6129448e43977fd2f2d5632e59b04fd6c6811637b4e301db191746c8b7e3660a

SHA512
d1fdbeaf6b183ec83f2ccb72060066147b0e13fe230d0a03bc62c514c768a5d982956af5d6b3e31c2178463435f8116abbbe4cdedd54019f950cea2d9caa545e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ca0ab4e8434db04b110c97b10cc8e1ac

SHA1
9f7a9fba6e4577b86009c2e37b2545ebc8d5ec11

SHA256
5d1dff42fe1bd7cf09fc3a8c743336f8eb443b8130a56229091da48f6495eafc

SHA512
d52b13beed2c924155175f8690a83a64fdc675d8d98471537f5da4a3dac32109fb1649e0016f60f4b8599f110443dd66b7423b1e07f2d97e3ecfbeff42be44c1

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
11c19ade4863e228adbb9e2284579513

SHA1
f2255b3089d032cb050382b559413e54ba7bb39b

SHA256
0c0c7c53c6b5529a873fa2972eccc1e95bccad82ce5cd3e8428d3310a2e9fba6

SHA512
f149d0006486d9738b34c5b3ca78077e3240d98405844a1da53b0deb11269abb24263b1a317b03de7990dc5c93851cd870d6dddd844514256a31c4bdc2d8916e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1f61166c4d3e5af5c65de0c064281524

SHA1
328b37834435efdcfab41c894e8bd059f55179fd

SHA256
0059ddf36394442d7b71c905aecf859c198db21b56d691acd0b694a568fa2f0c

SHA512
60c8a3a385b7adf579d30306164f314e89339e4fafc0d36f00e710a36125ec4bc2c392c2cc83f7f1e80982e6adb9a56e1bc422ebbdce35e3024bc2ec7974977e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
c5db404d44064a441c389d6afca8b592

SHA1
9640d92777a4533f20f85f2d2cc3cfb4dc069098

SHA256
0abf0db29cf9a2afa9e60e8a3e9290e6e602b87997013124fa0f17ff3dc08e62

SHA512
bc8e2e33504ecb4174d7675922d7161f2bf9aa9a022f812eea98210279e0ac2b1a4aa84d516ebdd2d1fcebffb38547cc40bd049b28d66e36e700c8b5b5677d72

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
c1f456b6272a24f83529d6c7c3152082

SHA1
33205ce9af130b0d67d3fd00725966cd20923161

SHA256
a747cf757e7add4c3d66f5ae44fc0caf7eb43b55634ca64cc29c7848d0584166

SHA512
00071677e1c79fdc8198fd1504f56167b4b171834441d723ccf3c40c426f21aec9f73d39f3847f76bffc55ca75ff1789bfd6c9a4989ea723c76ac77c1cd25397

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
9396890e465c35428da0ca7a3757f6ad

SHA1
1c4aab9052b60e1aec0e23a0b36b8317efb878c8

SHA256
e7a9b3ffdd2a80a9af9a3c32f46b5db9384f14cc6e5122b1f65f9eed687009b3

SHA512
a65bd61366be86b681fc141dc44c41ae448f40c6fc8e0066a6e6c01265b07921d29deef12b47c1effd41cfd5a7512935244630109c72a826eee7ce12673d739a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
ad98c9e2e0823e06e031e9bbf565c47e

SHA1
f85672895d93c54e38403d8e749a57560e77b73f

SHA256
72b5fce1cf80d8864927f56ff49b1de9431eb097382f63dfcd5d1a86450549a4

SHA512
72da8a0da140b9d3e499326f9f6b9c4fc3a432848002ba9e8b6e12d419c7ce95414eb18731584099d75314065ba5d64bf2160befcb1513305561bf566c257908

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
be96aa8c1c7ff2c1c39b702125803546

SHA1
3e6000a859806a7f30bb67515d9cbdb5c957ad2f

SHA256
d25787878b686bfc7ad2de0af6ce6bbb510adec79f70e6004dd67df2162fc1c3

SHA512
d427bd5de6ac5493a3f992fe377591585edd8c13252c1311b25c8629e3b50d9ad4ae562ba022afc9818dc08645b10794d8091c4cedd6db6f5f925fc2c1dff1a1

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
74528da9d8eabe6fc834a96155dd4307

SHA1
f0b0455253de600eeee796b95599a351c8b2c451

SHA256
22d417f5a0bd70ad75fa87c3aa010449b6a776564c3b7e12dda62055a2b68e4b

SHA512
89de8589ca9b5e17accd93bd49fe56c2d3dd39073bb79125e8af667176db54f96e29b67470531168074f87740c50d9866d9e563a50bde3c25055a05b1154ce6a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
86422aa4c4cc9d2e8ea574d117c74aa9

SHA1
4f5c29ee675b4caa0b2be1885dba8adb9c9fff3b

SHA256
0ec0060786190c40ad67da97f9abe53cc653e198cbcf037ac23fadb8d103de4d

SHA512
4a85824996027b8a0b093602401fca54c604baffbfc7d9dc0e36f18ca471cb52e74284a0c3d077d025e2a5701655067ef5315dfd24a106b67f36f39ec627f559

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c8f52bc883c42a7f1cc587cecb4a0879

SHA1
1175852a506201f01a9de7f0046f7af560fe1f96

SHA256
f063fcaf2300c058621f7f9672e1b71a388f68ae52e809867316bb4a45b75960

SHA512
4f351c56006d5a1f033e0fca80c4f2b591b7b68c802eae730306284f2ec1704a8efd7a66893e30967e3b70c090792c8b44703eae79a2f0ec1b887a21fdf33226

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
0c5c48b171e962b04c71f2bfd1c6a813

SHA1
88c17ed789f019c2daa64e3335e85d694188dc3d

SHA256
716bd9e3b95bcc5e159852cefae3af4849f39bf432a20c956921e55739f06483

SHA512
aee859bed533ed221415c34e80f3e2c72bcbeaa2ad9c5fb8ae4b08ebf07bd3c8b39e594ed8e6f1432d0c48a7397b77084b6c289f02cf6e2ecce8aea8bdbfd37a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
297428b5d63224e97aed837d20e1ea0e

SHA1
977a54d8d1e637a5f9354191d0b88a41480d00be

SHA256
6e928d1da1e2b737d8fdd2bb6028d451e84562538ed1d32db6cc3fe7486a703c

SHA512
c447009bc6eca3d78b5126ea3178216f87f4bbedcf5d24dac52290fe78448cd7e10c635c437454609e94cebe6ea5eee40761841d5b78c247d82763e4d3ed64a7

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
3b84a66550ff43788eb1cfc2398d24ef

SHA1
46752b6c3b2e50a5b0ba7350540928c8738069cc

SHA256
7e3469b7f9833479b4f8caa6969f53ffb0e12fb16b6a020ef64ecc43b5273218

SHA512
bce3447b97040b5d613a739e2a17ee88fe958960248b3e0de95211544e6322bbafcb4ce43fa254bc09c824f57c8dff82092e21e875bad97b19b49df7dda7a63c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ca99336ba4b55fa087ee95bb458e810b

SHA1
2953736a84354605156656a9fc5006029e6b24f4

SHA256
351cd95801a59e8db34b08d17e9545c0f48f2dd075ba3b78cc55b53f81735581

SHA512
6f51c5b1ec472e0e5127fc9538f82705cc718569f975c81a6a03ee43df90eeb2d63e2a1a1632432316ff00092aa295647ed1436724ca6ea7f5305f3398f41149

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
0e68646651b6f659ce85309da589b03b

SHA1
6aff637004c20c741a30327d32b7f4e5e85ebe13

SHA256
abfa71279f7b25d2b7e6cfa6c18723a39f6d04ff5d4d8811a3c3ca5670fec98c

SHA512
212d347447d675ec38e46e15dcc052b0fbe05452f03762dd9c1173316e88bbdca0bf46d63a18c76386647c11fa50590d8737fc5c5f6e5b7ec568ff278f0e40ec

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
9487b32e7c4c76c36568901766820003

SHA1
bb4e74c5e8760583aa116067a1f3b47a6702eb9a

SHA256
fecb845786afaf28bc2a399a513b73a02a2fd0121a6a005cb105212dfe91db01

SHA512
49816e2adfeeae2c9ff7a65f0a3b4823e001a2d9f186cba2e7c58bb7bcf4e3309d1a48a9ac22bdbd4dc42263226b5741958bbb12180b3d3726e9671641421853

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
4d858969f9b63ec4e90b337affb40980

SHA1
c5f517b47ddc66cf8fe32495fe14e425f905c252

SHA256
d228412aca7296096c2db6c01dfe1e83ca0db6a7fc2512468473c94bbc3e50f9

SHA512
df058b39862395921f86ab56ac87eec0ed1adb201b988f3bae0fb037e14a1c33d842b7fac2354f0daabe15cf41c5b6757ed9971dc8237e7a5e9377314c6b972f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
1fb1d647b15daf88aaa38742d0c6586a

SHA1
e670f408312359f8dc854653ae87680f9efa2acc

SHA256
03e9151d8a82269ffc9b91db7b35674aa450766df48ae764f9bbdaf477e6ad2b

SHA512
d893cb9919f5e85d39defa65bd4d5d201b03e6a56ccef13c6a95f674dd35ac04cd52d979589863b17c64a192099d1c0b2eed54924e000ca32f7b7674add8f9bb

Download Submit
memory/400-490-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/400-607-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/684-327-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/684-417-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/1268-596-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1268-774-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1880-584-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1880-473-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2088-418-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2088-351-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2232-409-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2232-73-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2232-75-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2232-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2648-12-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2648-30-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2648-350-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2648-18-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2700-53-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2700-47-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2700-43-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2700-403-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2756-558-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2756-570-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2844-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2844-326-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2844-31-0x0000000001F70000-0x0000000001FD0000-memory.dmp

Filesize
384KB

Download
memory/2844-21-0x0000000001F70000-0x0000000001FD0000-memory.dmp

Filesize
384KB

Download
memory/3352-90-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3352-78-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3352-92-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3352-79-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3352-85-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3428-614-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3428-775-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3436-44-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3436-55-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/3436-61-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/3436-134-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3868-313-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3868-375-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4612-7-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4612-6-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4612-0-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4612-35-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4612-41-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4868-519-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4868-688-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4912-94-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4912-95-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/4912-414-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/5024-621-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5024-776-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5056-340-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5056-364-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5064-772-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5064-579-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5352-459-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5352-446-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5456-461-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/5456-572-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/5564-487-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/5640-509-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5640-769-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5640-620-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5748-524-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5748-766-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5816-544-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/5816-770-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/5960-771-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/5960-547-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/6084-773-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/6084-585-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download