b5ae1d13e98e30230714fe1077d4929167f7076ce3f903f6f02ad5acc678cf41

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2024, 20:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
Size

4.6MB
MD5

75243540afa6a991b866fe4598609744
SHA1

ca37b8bc882c35c61504f7136dfa6db4187e65ff
SHA256

b5ae1d13e98e30230714fe1077d4929167f7076ce3f903f6f02ad5acc678cf41
SHA512

f4164516422995268ecc432a875eb5d2fa75361891cde6c3cbdaa8e5b760e4f67117b1db7c54bdb383d6dd459c56a4c66f3282a1d7e73a93c40faf7f17342c48
SSDEEP

49152:DndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGI:b2D8siFIIm3Gob5iEUU7dG1yfpVBlH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
3840	alg.exe
2744	DiagnosticsHub.StandardCollector.Service.exe
2908	fxssvc.exe
2036	elevation_service.exe
3584	elevation_service.exe
348	maintenanceservice.exe
4616	msdtc.exe
4416	OSE.EXE
4512	PerceptionSimulationService.exe
1168	perfhost.exe
4104	locator.exe
2284	SensorDataService.exe
2208	snmptrap.exe
2016	spectrum.exe
1204	ssh-agent.exe
3732	TieringEngineService.exe
1128	AgentService.exe
4092	vds.exe
2852	vssvc.exe
3484	wbengine.exe
5188	WmiApSrv.exe
5272	SearchIndexer.exe
5404	chrmstp.exe
5656	chrmstp.exe
5124	chrmstp.exe
5816	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4c8e33b0d590e271.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F4DF7669-184D-4D67-991D-8B1550DDF396}\chrome_installer.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fa7b67224db8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000005cb75224db8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f5a26e224db8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
3888	chrome.exe
3888	chrome.exe
236	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
236	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
236	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
236	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
236	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
236	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
236	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
236	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
236	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
236	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
236	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
236	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
236	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
236	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
236	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
236	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
236	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
236	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
236	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
236	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
236	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
236	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
236	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
236	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
236	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
236	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
236	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
236	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
236	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
236	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
236	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
236	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
236	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
236	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
236	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
4248	chrome.exe
4248	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2888	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
Token: SeAuditPrivilege	2908	fxssvc.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeRestorePrivilege	3732	TieringEngineService.exe
Token: SeManageVolumePrivilege	3732	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1128	AgentService.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeBackupPrivilege	2852	vssvc.exe
Token: SeRestorePrivilege	2852	vssvc.exe
Token: SeAuditPrivilege	2852	vssvc.exe
Token: SeBackupPrivilege	3484	wbengine.exe
Token: SeRestorePrivilege	3484	wbengine.exe
Token: SeSecurityPrivilege	3484	wbengine.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: 33	5272	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5272	SearchIndexer.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
5124	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 236	2888	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe	82
PID 2888 wrote to memory of 236	2888	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe	82
PID 2888 wrote to memory of 3888	2888	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe	83
PID 2888 wrote to memory of 3888	2888	2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe	83
PID 3888 wrote to memory of 4380	3888	chrome.exe	84
PID 3888 wrote to memory of 4380	3888	chrome.exe	84
PID 3888 wrote to memory of 3364	3888	chrome.exe	91
PID 3888 wrote to memory of 3364	3888	chrome.exe	91
PID 3888 wrote to memory of 3364	3888	chrome.exe	91
PID 3888 wrote to memory of 3364	3888	chrome.exe	91
PID 3888 wrote to memory of 3364	3888	chrome.exe	91
PID 3888 wrote to memory of 3364	3888	chrome.exe	91
PID 3888 wrote to memory of 3364	3888	chrome.exe	91
PID 3888 wrote to memory of 3364	3888	chrome.exe	91
PID 3888 wrote to memory of 3364	3888	chrome.exe	91
PID 3888 wrote to memory of 3364	3888	chrome.exe	91
PID 3888 wrote to memory of 3364	3888	chrome.exe	91
PID 3888 wrote to memory of 3364	3888	chrome.exe	91
PID 3888 wrote to memory of 3364	3888	chrome.exe	91
PID 3888 wrote to memory of 3364	3888	chrome.exe	91
PID 3888 wrote to memory of 3364	3888	chrome.exe	91
PID 3888 wrote to memory of 3364	3888	chrome.exe	91
PID 3888 wrote to memory of 3364	3888	chrome.exe	91
PID 3888 wrote to memory of 3364	3888	chrome.exe	91
PID 3888 wrote to memory of 3364	3888	chrome.exe	91
PID 3888 wrote to memory of 3364	3888	chrome.exe	91
PID 3888 wrote to memory of 3364	3888	chrome.exe	91
PID 3888 wrote to memory of 3364	3888	chrome.exe	91
PID 3888 wrote to memory of 3364	3888	chrome.exe	91
PID 3888 wrote to memory of 3364	3888	chrome.exe	91
PID 3888 wrote to memory of 3364	3888	chrome.exe	91
PID 3888 wrote to memory of 3364	3888	chrome.exe	91
PID 3888 wrote to memory of 3364	3888	chrome.exe	91
PID 3888 wrote to memory of 3364	3888	chrome.exe	91
PID 3888 wrote to memory of 3364	3888	chrome.exe	91
PID 3888 wrote to memory of 3364	3888	chrome.exe	91
PID 3888 wrote to memory of 3364	3888	chrome.exe	91
PID 3888 wrote to memory of 380	3888	chrome.exe	92
PID 3888 wrote to memory of 380	3888	chrome.exe	92
PID 3888 wrote to memory of 1116	3888	chrome.exe	94
PID 3888 wrote to memory of 1116	3888	chrome.exe	94
PID 3888 wrote to memory of 1116	3888	chrome.exe	94
PID 3888 wrote to memory of 1116	3888	chrome.exe	94
PID 3888 wrote to memory of 1116	3888	chrome.exe	94
PID 3888 wrote to memory of 1116	3888	chrome.exe	94
PID 3888 wrote to memory of 1116	3888	chrome.exe	94
PID 3888 wrote to memory of 1116	3888	chrome.exe	94
PID 3888 wrote to memory of 1116	3888	chrome.exe	94
PID 3888 wrote to memory of 1116	3888	chrome.exe	94
PID 3888 wrote to memory of 1116	3888	chrome.exe	94
PID 3888 wrote to memory of 1116	3888	chrome.exe	94
PID 3888 wrote to memory of 1116	3888	chrome.exe	94
PID 3888 wrote to memory of 1116	3888	chrome.exe	94
PID 3888 wrote to memory of 1116	3888	chrome.exe	94
PID 3888 wrote to memory of 1116	3888	chrome.exe	94
PID 3888 wrote to memory of 1116	3888	chrome.exe	94
PID 3888 wrote to memory of 1116	3888	chrome.exe	94
PID 3888 wrote to memory of 1116	3888	chrome.exe	94
PID 3888 wrote to memory of 1116	3888	chrome.exe	94
PID 3888 wrote to memory of 1116	3888	chrome.exe	94
PID 3888 wrote to memory of 1116	3888	chrome.exe	94
PID 3888 wrote to memory of 1116	3888	chrome.exe	94
PID 3888 wrote to memory of 1116	3888	chrome.exe	94
PID 3888 wrote to memory of 1116	3888	chrome.exe	94

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Users\Admin\AppData\Local\Temp\2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-06_75243540afa6a991b866fe4598609744_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2e0,0x2f0,0x1403796b8,0x1403796c4,0x1403796d0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3888
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd7e66ab58,0x7ffd7e66ab68,0x7ffd7e66ab78
    3⤵
    PID:4380
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1924,i,2301366871310880763,16782660703368549913,131072 /prefetch:2
    3⤵
    PID:3364
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1924,i,2301366871310880763,16782660703368549913,131072 /prefetch:8
    3⤵
    PID:380
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2232 --field-trial-handle=1924,i,2301366871310880763,16782660703368549913,131072 /prefetch:8
    3⤵
    PID:1116
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1924,i,2301366871310880763,16782660703368549913,131072 /prefetch:1
    3⤵
    PID:4200
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2864 --field-trial-handle=1924,i,2301366871310880763,16782660703368549913,131072 /prefetch:1
    3⤵
    PID:3696
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3680 --field-trial-handle=1924,i,2301366871310880763,16782660703368549913,131072 /prefetch:1
    3⤵
    PID:2648
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3972 --field-trial-handle=1924,i,2301366871310880763,16782660703368549913,131072 /prefetch:8
    3⤵
    PID:1172
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4616 --field-trial-handle=1924,i,2301366871310880763,16782660703368549913,131072 /prefetch:8
    3⤵
    PID:2432
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4764 --field-trial-handle=1924,i,2301366871310880763,16782660703368549913,131072 /prefetch:8
    3⤵
    PID:4092
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4916 --field-trial-handle=1924,i,2301366871310880763,16782660703368549913,131072 /prefetch:8
    3⤵
    PID:1776
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5008 --field-trial-handle=1924,i,2301366871310880763,16782660703368549913,131072 /prefetch:8
    3⤵
    PID:5312
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4508 --field-trial-handle=1924,i,2301366871310880763,16782660703368549913,131072 /prefetch:8
    3⤵
    PID:5680
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5404
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5656
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5124
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5816
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 --field-trial-handle=1924,i,2301366871310880763,16782660703368549913,131072 /prefetch:8
    3⤵
    PID:5384
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 --field-trial-handle=1924,i,2301366871310880763,16782660703368549913,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4248

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3840

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4972

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2036

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3584

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:348

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4616

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4416

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4512

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1168

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4104

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2284

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2208

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2016

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1520

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3732

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4092

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3484

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5188

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5272
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5916
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
41ef51ec285daa2d80d1b2b2b44dd56f

SHA1
3bdbeec1a251ac8ed610556b6e50763b04c09d0b

SHA256
0a05f0545b19ed3c05aed1442b66c111ac2e2945d776bd8bbc84d563141380c1

SHA512
bc69f88e01196c9b887296efeb5f5b7d3863b3b89e10bbd139ec942a6f441c23f84c18d136a08fdd4edaa0fd00deef0d259b644bfe7bdc7c57f34a19da2cb4aa

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
63033bb85f8ca776c7f4301dcdc39b5f

SHA1
2d8ccbf607b28d2b6e4ec102066d824346d6004e

SHA256
cb86fdd9a41b6e62327cbe59b156881e6efb93e79ed9b4a8b3e25fb6d6d55889

SHA512
e1b93216cbb41f92c91fd979a9c800d93148ec6f27394afff0e5735c335cb7319b1687c30969ef0a3ffc068b0f57b6b9c872926c00529ac09f8df0f014122f5c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
fc81280aff0948fe883c9d7dd4b0dde3

SHA1
45e7e4290914cb758b87b911d2b5b39236e3673e

SHA256
363f33e575065ad1926ca6cfa5fa8834de45e47b9186fefb3bd2dcf1888abc65

SHA512
89cc551f2d3920aeb90dab86db4cf592e01fe19ea7c5050ec71d84b11a05680251d347903b1b5048a118267ae72e8115f8a3b24554ea504a1d80dda7bb29f028

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
1b62bca036af5a36dc6f0276bbe6a941

SHA1
405644406049753e8b0573f91f8d528d474e55b3

SHA256
94c1f4e8b19497004c3e10222c2f97bf68bb11e02a96210ea1dd64afe72e3b8a

SHA512
cac49e4894e8942f17e7b4fcdb05b55c3d2d2ed3d136b0341562cc3f744336a7d5fa2e82014e46edd28ee1050b6bf8c1495896a41f78eaf0858cc6d2093e61d2

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c1b99d4e7968151557b3376af34b8bed

SHA1
c4d2fd50f0570fa127838145986367d8b1ffce13

SHA256
b5ab38ad65c41838f748e3d6a7632ced418d6a50182567a0f9a7cac1bc8ec6c2

SHA512
a6b4e17ae85a645d0b85f6bd2d8662978fab646070757704b6539473d22f433c1bca81e45d84eaa8729f3c7edd97167d73ea29c534add758a9536a1c329b4175

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
48a3c0f2eb14b1cebd55512275861a25

SHA1
1f72cb64fa0c1d1404f4d9b0eb0de045a22ccb42

SHA256
c9bc46a87c45b849694a2dd8eefb36904542b7170e6a753976e529b359a74f05

SHA512
bf7db52af56f5d1faef4ccb72c04c5710b0f4bc3da86d0df39d50322f5930ba0eeacf9b4117a4ada1908103937532fafa2579d876b82adf27dea67617c7f175e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
8660595b1dfa371ba2c6b316c8470ba8

SHA1
d3008b5769f4332ca0480c3293f43f0da066c9f4

SHA256
c4c92c5a869805e05401bb0e8c3d8b0c1d34f112ab6ee4e890d65e29e0a0ddfa

SHA512
d09e8378afc3be697fc26477f92ab3f8a29e9b5e894e706893e43b02f4922c4c6dbf73d68cecb8273bfaae9a3516dd728de0f073167235cd2ed7618269ca0dc6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
dff7679bebb6f76af5c5a68c5064d8d3

SHA1
9202f24010aa6f8a7797286751111f9c603f937c

SHA256
81f94a12018f03f464850b93ae393ea3f770aca2bfb25a4463c74000ace05fda

SHA512
30041f5492abf0604fba63fb8258b663ab7cc3b5b98c1d5d5d784f67b6b6570d2df23566a65213959d8efec446d5589e900fd7e989e250585510e52e88d7b18b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
ada304c2331bf9a51f4be79c384e6ad5

SHA1
33c75c806af03a30b1210a4292b155d0856b90f2

SHA256
ec2ad8f2a2ed3bf4820528246fa60019c9a307433c9e45b491b6736777c4784b

SHA512
18e5640827e28dcb34a13ba03f98471754765d6b9f1febf440ac9dd6fb05b916f6005656dd3925ca7734dd6d4f7ad12ad4dcc2f7b607042ef4d10e0bcb27aea0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ca852eb23adaf286b7a86a2ca2d1aa0c

SHA1
eeb15cc3475915444efe09ed3c784884f39c582e

SHA256
b7a55fa91f8b4d1251f4d0e469556bbc74821dc3fb5b9bda018576394b9f5556

SHA512
d96e5cfb79e6c4b8d1164852349216f45f973792d1c365f6ca0d1c1da31764064bdbbe1baca9dde94612637d45938b1c8791de0635a10afdeccb7d0cf03ee25a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d87f3cacc7f1230b4b1e65789a4d1a02

SHA1
7f85825903d7b6f1726fa5b921db43f51919772a

SHA256
9fdb7bbb3b4e9636613b385525db0a2c3a3ef7b4654a5e4d2073629cc5817c7c

SHA512
b50e75f1d95baed5e4f0ee1027665ba21a71a2081a1abc5e531568a280a29298dbefdf09734b39ea253705d82e9372e400b6bcc92ae23421ff33d9a6137a50cd

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
d96aa4a2c9c6cf829985178b27606825

SHA1
516829a2874d272b56fd20a04cf2943871f408fe

SHA256
4df034c8080fe99339b616dd8460645120c5fb79658593a5a92ad303196051d5

SHA512
63b3303df4ccbd8efe1cc5b3130ce1a9302a23afb21b6279805245a51210960c8897cf12a25b628a638ea3362673df897aea457ec748cd269158fe7d145ca512

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
95da6fa2a96bc956b9a0e0e9c57066bd

SHA1
32ec61252091ece2100f70774100bdc5ad9f6eea

SHA256
eb4f4e1ea49aba4372c75c16803847ac09f9f39fee3748fb389f30f6aa9da0c0

SHA512
d74224c6112d7e233b271a55acba97f7e1c1d87fc4bc3e2f5c52eec7f4660ec39b5d22d0b13bf1b87d6716f72a71cc1284a4bad12d8d3134acacad1e7656cf6c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
b8d19d2958fd4c522fd143c641f475b6

SHA1
3b128d8a2627fac859754afb889defe35facf483

SHA256
72df56549d85c3c4000a57f1968afd242c764bfa399890f08446fc3825a53e56

SHA512
305ad2f1000a4037d4e9f4c37cfd2b881dec6aff09d50efd209b6783dcc35556202ba2093e9895d060651647f7b3913b9a6ffb792591a1839fc099961debcd29

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\6116a2ab-6e9c-4d75-b465-df1333dbd8cd.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
98cb1efa681b25c4f15143ed81dd471d

SHA1
5eb17179805448934090b5666b3c45495eb93d9e

SHA256
2f8927cbf4cf79b1d21503d27439dc25d6ad15147e30e7bffcf517f4b3d6612d

SHA512
42ce8891292035bef4ba093615fb7c08e8ad3b698b06f137d4bc71a465bf90ff6c736e5c08fd82f4142f4766441b2749dc30c73ec6e1e2981627b414d89e1249

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ecca8993047150870094c763386eb4e0

SHA1
e77376a1868359b6270fe9924477d645bd5d7d1d

SHA256
bc2822a5efb199dcc655254b162e8e690280697a639ba9b6901133798470dafc

SHA512
28eee493fd526ef4227665583b28d600954d71babf027c2aa6bc8d72684d4ebe8b84436dd75a7fe29b6d17c8fd91f27a08e4d9deb53e8460a518bd7c09ca297c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
bf79ca2ddb1a14938945de80a7b0c21e

SHA1
17c8c785e2caf6032e81ac705a6a5128651e8be5

SHA256
0945263322e93494366ca2f0468a5912adbe292aad61196b37f9f0446ec8121f

SHA512
2c4675834f93268ca7063205f40b14405593099bca81c597f71937eea5396cbbc83cbf0cac459b7d2b74cf781958831f354b7f3c6a1d75b589bec98dbe214735

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
a4412986c6690ac44b09925964f1592d

SHA1
5569e0caccf50a48d2308246e11ffa56f425ba0a

SHA256
1303cee55ccf8231677a15d283eb1961b165892395c2f073415882981db23fab

SHA512
d919bbe3e33ec2ebfe904ab1b5fcc1563a0f18c0418a5dea1c029ae496ec77df7e36b611d314f1f809eaf0148811b95ba53aa08c7ec1d371ed3bebed1ed7952a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
4ebf7fb12ba1c9fb3e33633baf74f724

SHA1
405cb458e1638a31032b5f50ef68da6f802c27ff

SHA256
1ad4b972b9f06ebc6ccb063bf222628074ec84af55d06a8d525f1f57a95df613

SHA512
ee09d020a107f9aab06b520a8b1bfb8e6a38e5e47738936573a7708cb2b572f9865005c0411c1eb3be64d4639e5acff00b14d6841893065e368b728a3cf2a363

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe578184.TMP

Filesize
2KB

MD5
17452b252e572ce0e1d15bd52b3d96dd

SHA1
76e11b2ee8ae5cfbac60be4c4f1609879da3586f

SHA256
078b9af3cc02d4ce24f484c105def6fa6ab3b239269d39b503bd592cd8721ca2

SHA512
23c427290207f4496388e375917532a84121cd606cf36e804d2c30439167068e4eb43930ed32d406fa86cca6cd7f38d3c4f2f3f0bfaa9e157c6cec6e1e8546cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
f2b1ef608ede385654dd430e75ce59fc

SHA1
58b005111257cef57abe6769d889519db560d78c

SHA256
18e787d777475d4492907ae023cb567331c72375503d8e5d6a70aac11f917032

SHA512
38da308c9fb9fbd751080923c0429ec42a50ab80c47f824d80879e16439c30e6253734a20c92cc366828dc17644c856e9f7a2c6a6bb1e7bfa3e94baa764153d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
263KB

MD5
bf1964222e26f41e68eb058b525f69a9

SHA1
2a3f30b1be985d26a8e3460cb2ce482da43f9632

SHA256
498b9daf2ed8cd163637a52745da5512029a6263bf9de1df7df22569bcdadff6

SHA512
b018b7be4ff18094c45a33014bb15e70368991cc6c1b97bdaa82d8c09528ae352ccf534b88256f52e1c5dadd17cec4ebbf111e83f3d3b316548888e389367a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
5bf97c45ea29ebce820f51bcc28ac71f

SHA1
8c0d4ee1e9fff95f3b3b18e776fc0e5485de6230

SHA256
987da1ad65a74e20ffe91897ac032d6da111fcf1f48c6678f57555593c91ada9

SHA512
117285b6356f9d2847c71ddbe31a3d6ccd4b0dbf4dce039e18f786297bbed3455e5390f8b8c5abb20ba87c1e5d9a190ab1bea9d58a8b5e632c1d63e426d48fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
b64d48b99a6e64a3635b766c92c5a7c3

SHA1
0ff1c25e3877784b2e3e52fdea9ea3af22e36c72

SHA256
3118d0e8e20221cdf6f4803cedb67d4c1ef8dbb12b13c9dc9a8e8c6b78ca055c

SHA512
8c603bd774f5b061169686413ae8bf7768c619370bf10f92d5691cbb5c66e21e6cf9d3099642df488a4eb32c11f91c331cbfaa3f348d45c53e5ba18d03005c92

Download Submit
C:\Users\Admin\AppData\Roaming\4c8e33b0d590e271.bin

Filesize
12KB

MD5
7258276a676d344384a817a04c9e443b

SHA1
4c67d872cc19bd62069a41cefcca3c0d4dfffb42

SHA256
17ef6ecd60b41fe90e6bc5241c73e6f62c97b02f35d6f72fd7e1e749fc20085e

SHA512
8f7db30e719221ca4b83076315005dfd17f49693c6fa6f26fc6eb110e05c416cba778b3a6098bc39095be7838eb6b4723a4e227da9e0599d9656e01dbf41ad77

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
764db4de03d7df0e543a2b08f67af496

SHA1
29ffe2861e31fd18fac009c080bd32811b050095

SHA256
2e5d6630ad5786cf82cba137d95d5168786b27bbc3c8e53fd848f7878e34b901

SHA512
894bc4a21c50db9fd8634dbf09056ff94d346ea9cc7dc3737f4867772e1e9f47df94bc68b4aaf126b6e35826cc0eab850a930cc561e402a08f81e12774152c57

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
68c09e53cacb4c6fe1c8816819f51bd7

SHA1
5aac0e883ca3a7e57cdea84135eb762e4f9b17ec

SHA256
7dfa070ea9ce2f7b7c3a263dfaa6ac30c88d5079d3e637039df594b5da636443

SHA512
9ee545352010126d029c222f1eda7e85a54555b1604f5aa50032231498a6a87d1eeaad81ba2c9613daa8b335bf3647c32dd3dfc63aab528aa881a27f95ea45fe

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
3b6f58cfde28d187008f52d000976c2d

SHA1
e46d9fed3ce5b6113281d1484141ffb3adfa3428

SHA256
f5177544568150dc673bb213d5da983d28f314a1f23da60712a983639f1d29bb

SHA512
5f6177b06ae4c3796d1c1a4ec65c681ee7f62b2368b430d8b21384aeba3c53305c2ed3124e856ae00c7cb03ecca3a6d3fd4ccd1249f333a8ed255c290449819b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
34c5766df67c29069455269a947aa88f

SHA1
845dc195b130510c2de44a60ba9a9c36d4f063aa

SHA256
3f87f584217d1073d2174cf9bbf30f9f96d8ded9f729c2c9b5d6e78c8ab990d3

SHA512
ef255028fb06a6790cf027726e4f385272b6577fa1578d86be28e2709fe07d49099521acd8f0652fa610674805f8e2906bf336e988aaf19cb839a6ee8ff9c476

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
d255ab3e0039d87788cfdd237a4b6597

SHA1
d28530d8d8ec38bfdd8597ee1ea948c858d157eb

SHA256
ede592ceeccbb184faa38ddcb5c6df77939dc11b7c8b3e4f38af1708e00b658f

SHA512
a8ec3858c5a15a90f456d135ed2cef47435f6ff56fe7fc66e76b0b15c72daf653b4a60c7c2e6705cc9ba690a06c013a76e4abc5396e581f1738be96752409b0f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
2f156ef3c94fcddc4a8e80af0895c1ac

SHA1
85f48c24fefd3039edecbae75f6a107cd676cf9e

SHA256
77c228736836410d83ab6196ee50c489478c457fbf0f28a7b30ee832e7161e9f

SHA512
d2b6c4cd36a07f0eee60e6e23d9b6618d2fbc0baeb6e86b7501d871670983550963e542529669c166d007eaa7de77062b30ca26cb36a57ad8c0a6f7891eeb964

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
96b53205d2543cd5340b346a394bbb39

SHA1
aa079bd10e94bf11668fb477a4bbba6fc8f08a91

SHA256
c0a06f7d97b7371f63b9d0b06718df5797702fbd7acdebf12b2359ae95a683b0

SHA512
7149e16b788fe8c44c225ed50969656bad28bc52f623bb1f8b9d8c6d50082d45a08bd38ce28ef0b01f15765f37f88a6e17639396e1c22cdd4c16c9fa16226768

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
871c150a172e5bb40ea1a4f2c3a5bdbb

SHA1
5382dd264675816e1d5287010f3d9b0add69e475

SHA256
a564ed4bc71b8cf21d1bc67e7ccdba8416a19991683b0cfc206b2ddfa7c1ad02

SHA512
5e62e99f263259b914d6287cc928423b7f46559b46f320fef9d23c23f8694fbf94d8092358fb8b41c62b6c46426f50690acd115c56babfbf52ac8c0e036c9f48

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b4a20e41a16643ca99ffce7eecf7cfc5

SHA1
2b753b336b8743084b220b07af8861d3faaed8ac

SHA256
c3b44f65881af92a5fb723590da9fec919a4c8a67defdcc4a549d807462da3e4

SHA512
477c271729ac8879380398d3449e870b73f5b1426d5c82b8f453becae0b2cf92a275d56778434832c5b2d02af1c82c16c4b42df7506c0f6fd69b3cc795e96719

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
568169cb733009fc51948b78121e9662

SHA1
6871459ee055bc95aaa444157274b07edcd588a8

SHA256
2572c7398508e97c652a1c66b22144604987bccca32fe567c1aa90c2f799088b

SHA512
b77a0304b034374af0db82c0fed6637d193b6940ef0edc04e7e4dbb7be01928936485564cb10242bd38bb5a269dc65f4177edc212a53512f338960ccf30147a9

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
5b1941ec41426c60b4375131086501ab

SHA1
912c78aa6007fc6d1629812ce025ac0e34bda157

SHA256
ed7a5c08bb663a51dbbaf55532bec4f3853b33d7b93833acad4ac23895e07540

SHA512
2e1ee09823c3466cbd2f1e5bcc27ba1755bd413f2ac608212d9cd915625ad52444f5701a61965bd407cee3d208af3ad89525f8183bab189f3858a8518246f7ba

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
acd5ae9091299f1062cf62a4255cf485

SHA1
248706145092bd9b8cee085268da6f35a7b1b02a

SHA256
b37148efbe8c876f8fe306be934566ec3fd1a07e09d714d5723c655b6276806b

SHA512
01d6e1d52de82e45b972ec39d53603bc492ae87ca35adb49645320d24f644c2ad05c76f6b31a0dbaebfb828897093b85baaec8ce31c9694e3444808c36eaba4e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
9477c5d0eef59ea1f679fa21f4e02c4f

SHA1
6ffa625afc6bbbb9c8f33f3fefdf6d150707e8e5

SHA256
04ca5efc834b5634f7af572bd75064a77e3fe845ea484d11ce8144d21a1a90e5

SHA512
3c5727f8de90b0a812bf1edd4542e76f0ee91b41a606d9aae8ea9d1eafdfe08ed4f77bf874f0098d2f5d0563c0a0b30041cc1ff8edf1e65cff288d4cabf7a65b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
4937df299258604aaa9d2b3f726e9c70

SHA1
bd4839fa6e20c2a961379138a3847ebd868fcd4d

SHA256
a137c5c146e93d5b75a26759515e0566fcadc6d2240cf92bfb32321ef5103b02

SHA512
863c45b96b798ec6033981c8cfdae065dfdbaaaab6245922bf76b49fac393382f8a1a7faeaf1ba1b2bd813f3e4610df1cf1d7847ad1150c5941048d18b35c609

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
92fd71589207d2b964ec2b9ecc45e12d

SHA1
d5205831e198c7d7696e80b39cc9210226466214

SHA256
b4f53330c44584664132508c6dff4f50b77f78d123bd02f8e0b962c4672eb784

SHA512
c0679ffe28eafde1d0fff7a3c3588eee66a3457e8fe99dd27565de1e8da21cbc3a0c4afdd6bb848fb4d42caf0026fafe5deda85e66c3b873ba5f95ed3e91392e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4ca80f49838e5aeb6f64e339e2520c9b

SHA1
12b9f01c736f01a163babd2dc973ddbb14b2ac5c

SHA256
72be46a91900943ded477c9c8dec8fa954b150bd992008fca362ae4e85a50c72

SHA512
eedb1ef02f21365d4886738dceddee0d58d384eeb9ecdc00d8b2111ad02cbd0eca0df2452650ccae6de1c6e96d09c3e80c42b05b002b02496f7562bea57ca2d1

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
a4a68a66f0eed6f8b2a5b98874ececc9

SHA1
cedce988d531e2d9c35794219a7b57fc3ee292f7

SHA256
c7fe7027f8d544d428dd20b3a044561766eb1c6e8b348f823c81572e5d3a4297

SHA512
99f607c7369a3131e374f3f4c1f628c6627e664271f9dd70242b4a4bec92667d9a5d9b05b7398c8e920618039fa008526d368aa699d83ba514028414612b8819

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
1f221206c7b1767b98d44ccb94f86182

SHA1
6dd9e377875693dfab76ec40f4793c71cbc088b4

SHA256
030639425e07e2b331190ad29f91d1c145879692d717850a53d0223f22e3a9b0

SHA512
c2d817542c979d660bb56b745e138b58f452cb73adc3c00db2ae47365c685e2bbfacfc5a072b4e945c37f9903a65a7db2b517ffef2352ef42b4db68cc840cdcb

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
95c33cc1969930fefbdb95f99b2a9882

SHA1
cd2cd226b2c6f6de0bb090f9ffadb8e643a23970

SHA256
53b715becb7434a9ec7cebf218a7397d5c30fb50f6d3ac578728024f00ba194e

SHA512
c5992c3d6c1d20ed54d7e8cee2d3ac42d929812b770ae770881b4d09475b23cdd5afb323f401ca81bee5566f09638581f8e86b717bfdaf11596e7398978070d6

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
308e0d02a303ff7e02ec9fce48fd3f26

SHA1
70433f8978a552f24e4d996a99bd556efe144d98

SHA256
c91b4912036dadddd4da4544f93f683d3d404502202260c8ae8e1d703c968479

SHA512
789ac62d0a569a6740e0e7efbddc723c6f73808a2e85f8513f8b91da5d2d948ef17f24687888c319b0b593c3f615ca279dbca95899729ac225d6de7db392e3c5

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
5604a9931d29eef00b5d6fbf36ac3ffb

SHA1
4039b610bd03d26b40856269376dfc161e56768c

SHA256
36eded064da69b6bf6e7b4f6be01f8a5a4df3c47d9f282a370fc450625af0798

SHA512
2d0879bbc40c5114443e2b993d5aadf15f017689b0e9f401349d2e55b0dc64c4681c26c3834b408ddd4115793a7f5bcc3e4c188778c3f61ff40021b8f50f2842

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
e85d66a57d6e6e5e96de25ca4673e2e2

SHA1
eeae690d7943dd0b90c00f5322e886d7dd043c77

SHA256
9483d62d37b0961fd031068dd62d371522f44d566dce1298ff550bdc0ffde854

SHA512
d02c44e6f3d03ff95542f0fd1b1280134abfc924ed8769b10a7bbc06503b317731c338aa0b2fe99cbe8e325c8e7fc64113d529be9bce147774ae0a73049b3631

Download Submit
memory/236-16-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/236-10-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/236-167-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/236-23-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/348-100-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/348-120-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/348-109-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1128-283-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1128-278-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1168-168-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1168-314-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1204-525-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1204-234-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2016-505-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2016-229-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2036-73-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2036-67-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2036-147-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2036-75-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2208-485-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2208-217-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2284-650-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2284-204-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2284-333-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2744-50-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/2744-51-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/2744-41-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/2744-49-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2744-195-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2852-711-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2852-305-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2888-0-0x0000000002070000-0x00000000020D0000-memory.dmp

Filesize
384KB

Download
memory/2888-26-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/2888-6-0x0000000002070000-0x00000000020D0000-memory.dmp

Filesize
384KB

Download
memory/2888-8-0x0000000140000000-0x00000001404A3000-memory.dmp

Filesize
4.6MB

Download
memory/2908-55-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2908-63-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2908-79-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2908-61-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2908-77-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3484-776-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3484-317-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3584-98-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3584-82-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3584-233-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3584-88-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3732-533-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3732-261-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3840-187-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3840-30-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/3840-36-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/3840-39-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4092-660-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4092-293-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4104-188-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4104-328-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4416-146-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4512-304-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4512-160-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4616-122-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4616-270-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/5124-529-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5124-570-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5188-330-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/5188-777-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/5272-334-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5272-789-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5404-581-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5404-491-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5656-790-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5656-507-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5816-542-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5816-791-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download