408df471f8ca6dc95ad548fc04e3289b3e3fa8652dae84d258f5589a3ec12206

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08/06/2024, 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
Size

5.5MB
MD5

abde92a4a4cf4768d899b3052fc75d94
SHA1

4c34317248db1b6063daf8e8b1651ed8cd3a4a02
SHA256

408df471f8ca6dc95ad548fc04e3289b3e3fa8652dae84d258f5589a3ec12206
SHA512

6f89aa72f456220db4c15ff4a4fc17e8bc2f0f89af4637825e37a66600489afbb3bc7b8f52aac5be598d3f8ed28e41e06d93bc1ab4ec23c611b91510a506d3eb
SSDEEP

49152:uEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGf3:0AI5pAdVJn9tbnR1VgBVmsC17DVqFJU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2288	alg.exe
5104	DiagnosticsHub.StandardCollector.Service.exe
1724	fxssvc.exe
2504	elevation_service.exe
5052	elevation_service.exe
5040	maintenanceservice.exe
3360	msdtc.exe
4836	OSE.EXE
3320	PerceptionSimulationService.exe
4384	perfhost.exe
224	locator.exe
3276	SensorDataService.exe
2872	snmptrap.exe
4580	spectrum.exe
524	ssh-agent.exe
4152	TieringEngineService.exe
4636	AgentService.exe
2300	vds.exe
2856	vssvc.exe
5064	wbengine.exe
3488	WmiApSrv.exe
4752	SearchIndexer.exe
5712	chrmstp.exe
5420	chrmstp.exe
5972	chrmstp.exe
6028	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b15c1f00c3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{372EF552-D8CF-402C-B62E-CA3A4C643A96}\chrome_installer.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaw.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000098adee51f2b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007599fa51f2b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004624e551f2b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f6be2052f2b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007c41b757f2b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a910d251f2b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133623589301417753"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
1664	chrome.exe
1664	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4500	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
Token: SeTakeOwnershipPrivilege	2656	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
Token: SeAuditPrivilege	1724	fxssvc.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeRestorePrivilege	4152	TieringEngineService.exe
Token: SeManageVolumePrivilege	4152	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4636	AgentService.exe
Token: SeBackupPrivilege	2856	vssvc.exe
Token: SeRestorePrivilege	2856	vssvc.exe
Token: SeAuditPrivilege	2856	vssvc.exe
Token: SeBackupPrivilege	5064	wbengine.exe
Token: SeRestorePrivilege	5064	wbengine.exe
Token: SeSecurityPrivilege	5064	wbengine.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: 33	4752	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4752	SearchIndexer.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeTakeOwnershipPrivilege	4752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4752	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4752	SearchIndexer.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
5972	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 2656	4500	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe	82
PID 4500 wrote to memory of 2656	4500	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe	82
PID 4500 wrote to memory of 2320	4500	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe	83
PID 4500 wrote to memory of 2320	4500	2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe	83
PID 2320 wrote to memory of 1704	2320	chrome.exe	84
PID 2320 wrote to memory of 1704	2320	chrome.exe	84
PID 2320 wrote to memory of 3680	2320	chrome.exe	93
PID 2320 wrote to memory of 3680	2320	chrome.exe	93
PID 2320 wrote to memory of 3680	2320	chrome.exe	93
PID 2320 wrote to memory of 3680	2320	chrome.exe	93
PID 2320 wrote to memory of 3680	2320	chrome.exe	93
PID 2320 wrote to memory of 3680	2320	chrome.exe	93
PID 2320 wrote to memory of 3680	2320	chrome.exe	93
PID 2320 wrote to memory of 3680	2320	chrome.exe	93
PID 2320 wrote to memory of 3680	2320	chrome.exe	93
PID 2320 wrote to memory of 3680	2320	chrome.exe	93
PID 2320 wrote to memory of 3680	2320	chrome.exe	93
PID 2320 wrote to memory of 3680	2320	chrome.exe	93
PID 2320 wrote to memory of 3680	2320	chrome.exe	93
PID 2320 wrote to memory of 3680	2320	chrome.exe	93
PID 2320 wrote to memory of 3680	2320	chrome.exe	93
PID 2320 wrote to memory of 3680	2320	chrome.exe	93
PID 2320 wrote to memory of 3680	2320	chrome.exe	93
PID 2320 wrote to memory of 3680	2320	chrome.exe	93
PID 2320 wrote to memory of 3680	2320	chrome.exe	93
PID 2320 wrote to memory of 3680	2320	chrome.exe	93
PID 2320 wrote to memory of 3680	2320	chrome.exe	93
PID 2320 wrote to memory of 3680	2320	chrome.exe	93
PID 2320 wrote to memory of 3680	2320	chrome.exe	93
PID 2320 wrote to memory of 3680	2320	chrome.exe	93
PID 2320 wrote to memory of 3680	2320	chrome.exe	93
PID 2320 wrote to memory of 3680	2320	chrome.exe	93
PID 2320 wrote to memory of 3680	2320	chrome.exe	93
PID 2320 wrote to memory of 3680	2320	chrome.exe	93
PID 2320 wrote to memory of 3680	2320	chrome.exe	93
PID 2320 wrote to memory of 3680	2320	chrome.exe	93
PID 2320 wrote to memory of 3680	2320	chrome.exe	93
PID 2320 wrote to memory of 4772	2320	chrome.exe	94
PID 2320 wrote to memory of 4772	2320	chrome.exe	94
PID 2320 wrote to memory of 4720	2320	chrome.exe	95
PID 2320 wrote to memory of 4720	2320	chrome.exe	95
PID 2320 wrote to memory of 4720	2320	chrome.exe	95
PID 2320 wrote to memory of 4720	2320	chrome.exe	95
PID 2320 wrote to memory of 4720	2320	chrome.exe	95
PID 2320 wrote to memory of 4720	2320	chrome.exe	95
PID 2320 wrote to memory of 4720	2320	chrome.exe	95
PID 2320 wrote to memory of 4720	2320	chrome.exe	95
PID 2320 wrote to memory of 4720	2320	chrome.exe	95
PID 2320 wrote to memory of 4720	2320	chrome.exe	95
PID 2320 wrote to memory of 4720	2320	chrome.exe	95
PID 2320 wrote to memory of 4720	2320	chrome.exe	95
PID 2320 wrote to memory of 4720	2320	chrome.exe	95
PID 2320 wrote to memory of 4720	2320	chrome.exe	95
PID 2320 wrote to memory of 4720	2320	chrome.exe	95
PID 2320 wrote to memory of 4720	2320	chrome.exe	95
PID 2320 wrote to memory of 4720	2320	chrome.exe	95
PID 2320 wrote to memory of 4720	2320	chrome.exe	95
PID 2320 wrote to memory of 4720	2320	chrome.exe	95
PID 2320 wrote to memory of 4720	2320	chrome.exe	95
PID 2320 wrote to memory of 4720	2320	chrome.exe	95
PID 2320 wrote to memory of 4720	2320	chrome.exe	95
PID 2320 wrote to memory of 4720	2320	chrome.exe	95
PID 2320 wrote to memory of 4720	2320	chrome.exe	95
PID 2320 wrote to memory of 4720	2320	chrome.exe	95

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Users\Admin\AppData\Local\Temp\2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-08_abde92a4a4cf4768d899b3052fc75d94_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8c0a8ab58,0x7ff8c0a8ab68,0x7ff8c0a8ab78
    3⤵
    PID:1704
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1932,i,17190030516888384609,8016047518875986283,131072 /prefetch:2
    3⤵
    PID:3680
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 --field-trial-handle=1932,i,17190030516888384609,8016047518875986283,131072 /prefetch:8
    3⤵
    PID:4772
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2076 --field-trial-handle=1932,i,17190030516888384609,8016047518875986283,131072 /prefetch:8
    3⤵
    PID:4720
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1932,i,17190030516888384609,8016047518875986283,131072 /prefetch:1
    3⤵
    PID:3524
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3108 --field-trial-handle=1932,i,17190030516888384609,8016047518875986283,131072 /prefetch:1
    3⤵
    PID:4044
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4264 --field-trial-handle=1932,i,17190030516888384609,8016047518875986283,131072 /prefetch:1
    3⤵
    PID:5376
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4452 --field-trial-handle=1932,i,17190030516888384609,8016047518875986283,131072 /prefetch:8
    3⤵
    PID:5464
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4588 --field-trial-handle=1932,i,17190030516888384609,8016047518875986283,131072 /prefetch:8
    3⤵
    PID:5488
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4536 --field-trial-handle=1932,i,17190030516888384609,8016047518875986283,131072 /prefetch:8
    3⤵
    PID:1908
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 --field-trial-handle=1932,i,17190030516888384609,8016047518875986283,131072 /prefetch:8
    3⤵
    PID:5632
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5712
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x268,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5420
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5972
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:6028
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4612 --field-trial-handle=1932,i,17190030516888384609,8016047518875986283,131072 /prefetch:8
    3⤵
    PID:5216
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4592 --field-trial-handle=1932,i,17190030516888384609,8016047518875986283,131072 /prefetch:8
    3⤵
    PID:5680
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 --field-trial-handle=1932,i,17190030516888384609,8016047518875986283,131072 /prefetch:8
    3⤵
    PID:5852
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 --field-trial-handle=1932,i,17190030516888384609,8016047518875986283,131072 /prefetch:8
    3⤵
    PID:5580
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4888 --field-trial-handle=1932,i,17190030516888384609,8016047518875986283,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1664

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2288

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5104

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4816

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2504

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5052

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5040

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3360

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4836

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3320

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4384

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:224

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3276

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2872

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4580

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4940

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4152

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2300

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3488

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4752
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:424
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
9a201750d9da7733cfd3c64250438010

SHA1
816263a86efc8818668406ec754724f6ba622468

SHA256
f78006cf7a029c32157ee23613d3e2782d59f247c653a94b0af9fc3d8f282b5c

SHA512
d2ab1072687046d0b13c026dda1c0106c0aaa394942ad9154877224da699ed71679c4b6617da25a9a9852823495e5d70f56a3b2a77ae47bb1efbdda8e0c8f816

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
87f893c54b854a92107e8cb9cbf2a589

SHA1
728cd857fc4b1abca8e41d0ab216eb952421bcbe

SHA256
7a7acc03e4bfcd79dea4db8097136cfacdb8cc24b7244e63fa1743148d2f56b6

SHA512
095bd409a883bb209d601f1bda26d4f8fd1f682c0a2330307105dcd5cc313b644e231cd0d1c8fe94c5380a197364bea7d4a1ddfafd1ace08863c061606ca4a8a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
57059aebf85adfc576599305f6a1c7a3

SHA1
7a15153d1bed814e6219f9eff4f953f0c1ae1dfb

SHA256
cef46e54c8d73323fde287cf0ca910c90180e43eefa7669586c50e6ce54f79c4

SHA512
1da227b5d12047b1984a3a49020bc7a9ec2c3a02e4ee61df8d1c1670596f67c1344c22a4564e9805a5d3d38c0e341b0275851043ab39e1d0f768834ebfe39b1e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
e290b94b30404ff33daed8efa727d91d

SHA1
53cb24c5932a0f7fd934f6ad6c128cae2e4e8748

SHA256
9782572ab9aca7ea08a723aaae2041ceb04d532dc49da1913d61b7e0a8a616cb

SHA512
564875b95efd928ad64f88fa1110d7d4263f5aa56d2ab3eb25a0e7141903d3138ed24f498c37bc0ecc7fe3f285dbfd968a124ff26f1512875c7ee96ba7108b33

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
687e9fa526b5a86d1a13208101ff43d6

SHA1
c4807ab384dcbd1f9862e82fd8048feb5edab8dd

SHA256
6530d6e4559467ff9597c5f607aa06a39f8688fc231b548f5940bbe14117bdf4

SHA512
0018e50d56efba0bbf85fc6456be59598b9403ca3447aa17acd5ccd9f5585baff0d0346691e027f212afe0f7694de3f93e53aeaa84cabc3de83cc5ed06dbe27e

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\cffda07f-48dd-4107-a0a1-9547dec5abea.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
757f9692a70d6d6f226ba652bbcffe53

SHA1
771e76fc92d2bf676b3c8e3459ab1a2a1257ff5b

SHA256
d0c09cff1833071e93cda9a4b8141a154dba5964db2c6d773ea98625860d13ad

SHA512
79580dd7eb264967e0f97d0676ba2fcf0c99943681cad40e657e8e246df1b956f6daeb4585c5913ca3a93fdfd768933730a9a97a9018efa33c829ab1dea7a150

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
6855000ee417fd3126b5d6f5da6e0cce

SHA1
c77c3c8365d27f4891a574ada5ff7ac06a98c5a1

SHA256
fa5e36ed00bb28f131d0f78ac8296537334021c86e98615ff2a7d83183bff8ea

SHA512
4c3ff3efc1300ebfaf938d731d30b4ba04a73848c8cdf2deee6126a1b3111c6a83773e1210c974d22a1209042eaaacbaeef6a12302f834395c23d9ccc8d39b2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
1d767ae87bd6f42e2f1596bdf1a20376

SHA1
2bbd9f4b246e93b55ca7e715a5842ac12f894dfd

SHA256
cd04d8694b80331fd4292f1b305b2d052aa45640aa75f3ff7a0ce355a1eebc83

SHA512
c18beb11ee4ee4537aca2c9ad64405f3ac48baa8884629ef9cfd385e4d39c1882222174b4749682543d555d8bc741337a2076649da7441033a44c573308b88c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
4e00601e1c9bee57cbab66847fe212dd

SHA1
62ec0c2fe587524d5c509d659c95ac4d21096e03

SHA256
6a3a601e31755cb9ee88bcc544e4e22a61772380a32297adda6fb1af6d1ce91b

SHA512
7310ec422bf4106386b9e8930b7c598534cfc5c31afbbd389a4c5ad96870107b9222251f4c8e6bafe310e43c3a2d50d6045793b77e64d08b0536b1ecfacf28ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe577cb2.TMP

Filesize
2KB

MD5
6c38709f2b92b4197d45f6df3df81cb9

SHA1
92d1adb3512f085dba8c03ea68d926704ebbbda3

SHA256
d5bb9e1c53b6d6dd67dcfdf3963d7d8b0dd3094ce6a86851e8b8ab7d3d6f235a

SHA512
3cc01f22a75c283dd55a4fc9b02211776bc1246ae7787ffeee21a25d0ea8ddaafbb70cbe8d0976356fcff59c9be8e9c178c15264d2a44df3653bb1e03fe41bf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
02d591c41cf93d068e091c9e777345ec

SHA1
a94cd8a1641ea63fbbd9c69620c9544eb7ae8334

SHA256
126cd8474be76ed09baaa2137a89ae4d21ccf76b37dc628b5869b0bd47f72d68

SHA512
2350e374bd205a1838f07907645fa7751695c6579783d8a3b7ee20a7ac43de624ba896d7d04fb156db5e1e50568d56b32f40e63d969c7bdee6c599966f84f7fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
ee709ab4d0480404f364bfedb941ee04

SHA1
f28ead6f575083cd82cd2f3b70e7f0b531834d73

SHA256
b440bd0158438abcbd00a5d0c03406179bdb87ac7d711c18a1edbb62612cbe25

SHA512
0132efdc869f7fa8c1e0ef83a75943f1e53fdfe98d10c13e8f04737600e3447918889b74a753b30e24901480272e4aec2ba4dcecf0bbd0dbd38d996930983a02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
265KB

MD5
a15adb567fcc945e874ac910ab1379a9

SHA1
08f2b08cd34189d943211e3de89c48cdf42b7d36

SHA256
611c6f45d2c4a931da5a1759c18560b0df12071864c1b5a2a5a04491a9a0f379

SHA512
d471fedf639c6a0e5a7248779789d43479dae776df956ec2d9e63cd3519c857094f34e768634114da587af52a5013145c02f7bcfa612c9994cb7534323298289

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
265KB

MD5
b6e9847f343ad01de0583dfc01345f32

SHA1
a6dc2c36989c4c5c2a0e9af69e3fb6a8695d52b9

SHA256
d0b6315625dc8e2f8ea6dc660e62a27599e26f44697156667c788285aa9abab0

SHA512
e60dd1265440c55308d3a0e6a046dead7598b50659e9be8f7ee529025f2d6c481c77e8892eef6b88e8c3b99dacad6ea9ea6758eaea8c7f622e11b2293a905663

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
285KB

MD5
8b47cd8eb7617a1ad993f27a8b947383

SHA1
d589d71f06d669c3cbb8b239ec71aed9e00eb5f1

SHA256
0a1099e1f302bc76a136b25f9de62868085044aa8d7e1f20baf9a49101d2ac38

SHA512
994fbff4dc20342b85d490e34b42a4803c51d0de4b02bf9605161e677a9554841d0e5e9a61ccff4bb5223a13a7f64bf6d16e6ff2af3e56e25166e463b90871e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
91KB

MD5
71f47e96c187c720b9af5b15337fe36f

SHA1
fb170731a08c3ffc350ae1ab2bfa6087ad7442de

SHA256
d1662a15b2e95f961b3cc645724928d8409ac2509913ed3a70714aa43794425e

SHA512
1de962082b259640cee5f30845396eefe04d23b2d3539beadfeb1a9540fd5fa5de513d53a4d45594e4a2c68f50bdc2762ab35faa03b7502d8f1152ea8f5afd9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57f201.TMP

Filesize
88KB

MD5
aa039f650d3a920be52b86d17330c7b6

SHA1
05b1a7986a1418bfefd3f454b20c54b7fe7eea98

SHA256
5ee8188ec6023a717fc6b6e98877de6742ee787d39e3876c7fa61b706bd88e61

SHA512
1d3b48a3b195b6948d1c23c4e667d98fe27454f14ff1b55cdf843f457d761b837b8c9b6adc8b2c16058499120f6ebdd854f14f924546735a09b215474e3786ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
68601b1b60fe07723e982f80961acd44

SHA1
1fbd4b668fcc7750a66751a6cf1056abbe338b6b

SHA256
bb57ca4c8f6c3c0dab7499638a4a36dd99e9d18422cf67a1ed196e35f93e3537

SHA512
d6f999f3048a26b1bd4aa3e170cfae4d014aa2e02d19cff47ca4fcb79ae353dc820f71039659e878762cc74338bec4a29f6419b7c083c9861564ccc98d5598b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
159973849ec1f9dd49dcd6f793fef3bb

SHA1
1623bcdebaadfcd511ce1270c14b3d9dbbc15a2b

SHA256
2f146ab159b24a96203aedd88d94d65741a04c2e473cd69d7c1c8c8e0a4ef2ad

SHA512
6ae5b11ebcb1a322a79d9a8c562cd6afdf3f00151daabe288585254592413aeed7c7548b05c29d6fb9b6f33babe581a45cbf1a879d4a495793703e7f91906cfd

Download Submit
C:\Users\Admin\AppData\Roaming\b15c1f00c3136770.bin

Filesize
12KB

MD5
796147d8f1347831971c7c1d42aadd7f

SHA1
94a65b3dc0219557fac9bec619e8d0ac7a2dc465

SHA256
fb8cd8e4e205923c4043b1dc9dcef65cd07bf9161d7628b0a2b7ffef3bb17b43

SHA512
99466bac62f80c3b0a18055e5df86c74bf49fe031d3151f3e370a835b9d849d9a3b4fde6ad40041c9c4fb3fafbb03098f364c793b1545b8362b1a5879c5bf332

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
a374862dc564437424add1470ec7d845

SHA1
002d0301af94ff6adec54a3146457fb4429b523b

SHA256
d5643c95e6ea65b368a9693c6ef49cfd6ff7c9d0e595ec60a3e0e474fee5f1b0

SHA512
273af7f15be7a0a668c58d7cfd9b82ee5bbb9ed92d5ca2100c8077dff51bdd9d90205802ed23c5bcb11b01fbd28730497fc1974f303d5f0a79c9b3727be327eb

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4bbd0ffa6c0c5e4f3c27187e9df59026

SHA1
848b4b81d90355add77dd2d935acea34a6526efa

SHA256
0a7ce481dea86f5130b444ed214058a19b9a8b45a852ea9ca1d205e896635be9

SHA512
f271f68cb3913a9d517ea867e94647f19180c80ce5699029af00fcacb038a8690aed9dfed8b94ceae3436406894597ffaf9b4636d86f2cc4f096a3b29aa1cda2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
a9200d18fb9d4badb33c5a62578596ec

SHA1
f7c09ecf561b016660189df90719719541d1744f

SHA256
61fe2eaba0a046ef5328904bbbf029d5f81c18467b0a5e65e7b3bfc532cb7763

SHA512
bb343361bb0d5dc58f44a0361a9d694d0e4f70d2717cc96ad2b9cfb5f2a6306de27151fc934b87ef27442c1834edafb2c4d6927254ccb2e5a5eac08053f5ab9d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
27bca77e5ba581d081fa7ef3b3fd8424

SHA1
c7d9fe406aa9cc789218c473119607b99592b0c9

SHA256
1f1f57cb7b6be301ed5a8db185eb0513fe02c60b67fa8e5b0a980e68204486ae

SHA512
ed200552ed6c022c0184edfacb032b77b775c6e54bae0ca386792facd5eca762da9cea3f8de4f07bab8e5a834b44d9168c00cec889d26cba419693cf4d154224

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
d6c5cf60c7ae9c45ae9e5ad9e4d868f8

SHA1
a97ff5010bb4de7daef9cd2dc7518641f49fa0bc

SHA256
9b2f7ccc12714619a0ed34a072e03fe92deb9cde595c8e4b4f5db806310135e6

SHA512
62d7158438d27121ba13d7c9de9a15c1e8c6e135f430f8ac401038c44242b9a44eb8a22c5ebd0a7aeaa3cc2ac7d55f0af9bc9a108e44823a2f64274d04df1218

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
cac764f0cc165b17e5e0d363ee68e852

SHA1
03ee8a55ebdc06f32c16d90bfc0d2be14dc114fe

SHA256
93b97dcdb0bf268ef41ba4d47585c2fd77feb0d78cf534d94f70fc3b4fcbc4e4

SHA512
1a699f97bad1a6508ed322bea477f29d9c76e98dc878f9965231122061f12a8f663fc3f304899fa9fc8ef3d354c7269a9c8dc4c2178ee4e25e1e225415bc8360

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
18d8fba92ccec1d46403ab29155d2406

SHA1
29e43e5fb9d829142c8e4266d7f82bf2cff46f0c

SHA256
0fec8dc2db5470f740aab3ffaabbde593553116b2bb618693d14f47f124edec3

SHA512
a5a09147312c7b4b9b13200667455d4ae89e0b58a8220f2146eb1bd070fce4267aaa10fefdf825104430fc0d84a9349b235935a3c1cfffccfbcdaceff4425337

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9ddc6f6c36935785356eafce9ae0c6f8

SHA1
1cbe7776cb6e2c0febcc6ca6dd213ca291ddf194

SHA256
13b3b06fd2882efd3e9e16d65a67c85a0f1eb468ca6b28a0742b5f3bc27a3acd

SHA512
ab74baf3d3eeea3b464df2d9c32af2d75ba7ea93fe0e7f7ec6ffb2a2851bf740e58268d19406b7b62ce075157fab985f080603cd1e94757432ee6167957aae9f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
bfaa1aa2294f38f922209f6ff6b5d810

SHA1
2b8c2c296d99462b405c84868fa3659453541c6e

SHA256
b0dc0ae30097c44b3a18279bf42a26af1a897db748ebac7d90b8962d42d46ae4

SHA512
79555d693c2180a616b3fd38b459bdcbae486af64ed18c192e59ae78fa6fb008e3dcb7ae52cf54cd84e910b557d2959a67934c6e4ba17beb6759c2493ee0f56d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5844fe97e771f326855dbc151fff95bd

SHA1
56e60c4e47084d2eb963f407c8bec99d49120c1a

SHA256
3a0a1c5e45399cf1ac582eeebaebb9d9f2170416fd8697d6105290874bcfb104

SHA512
dc5cc9a72b02024bfb9e9eafa42b97c5f96362f2410edbdef8191b35d4e6bcac0bd15b92e250275bfa7fb1e18206c7f1b4e1d77d90ddc10834a018ec77a7ed12

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
da222e80eef1cd7e6dbbd6ae7f545eaf

SHA1
c8b4188ae57c0abe4eafd8b4a239ae6938977ee9

SHA256
0e7d9de4c8e45acb13e15ca9ad56a28ee2e49dd5609dd05d4628b7b01138fa5b

SHA512
7cf547a15b3836e05725e87f6e753b7184a3ca335dbf6ff8000a5bbc76c3fd62c9f8742104de16f418d94b4f8b96b14db3103edeb6e7c8e7554c4eb68cff9691

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
4bab635671d464417c9c0dbf9fcdedd2

SHA1
00d2d7d4b11f336a9abc75938be2ec7136c82c05

SHA256
f1b729fabe6388898ad183f57e8d6325a463f91e6598a19bc2bcff1e5d83b8e8

SHA512
2d574a93ad849ebf8a254b0d90e20e33ea7015a1a2a3c9e48179cc865c05937dfda3c3efce7c40bd466d6ab5a2cc8276548f726c738a3f77113b4e9f23c58d8b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
d4d314bfe26bbbc1186ce6a8baaa1e9e

SHA1
3177c0a57b989a5aef4a5f9c794def88efc21aef

SHA256
d4050e2fbb1de2b18db200b0316454010977217448d66d7cbd724306ab9e88d0

SHA512
28c632262237801ac870520ae0878f5bf6ffbcde3199958bd78fcf20dcd73409988acb6b83e7b04ded5205f34212e843dc26e01aee13e9fa2bdd067c2832fa04

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
da81c0efc0e579738649c9a1e80d1494

SHA1
d9b0a1c48acb79dcc1c11ff3bacdd778a10e7cce

SHA256
e9c438b3251cf539422fde74647e66d771c3743bc2dbb789949d19a53d971978

SHA512
02c8911d00c9cc33f4bedaa9f7e1e4388eb493d57f443f2ff7642a9131f162b35c5faed716d3cb2f4c44b4156fb7e9dcd18dbcbaac386656b4c2300eae451e09

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
8f6037eb674ad7f372430d1709dfb8fa

SHA1
fa6dccd520c90d2511a37a1a1b49dd69288a57ea

SHA256
2bd72de6f2ebe08704707ad6e7c0c16724b26db28c6f80b921e443667eac162f

SHA512
025d93dfbf3ff811d5772671fa625aa50edd42e381d36ec2ccfa01b898c5ec51f3e9beca9a2ead92a3830de972cd5183f859fb63e1a96a9d6e4f7efb7fa600ad

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ec2338a8112986cf9a59fb295f32189a

SHA1
71889282da8635f6799772fe08ceaaff8616f746

SHA256
1c42f1d73edd35ab42952de2576ba49d187cd87e415b7acaa4d6c7bd7cfe8b17

SHA512
4d44fcf486c61d640706d5817496fe47087043e66b847ff3d20f4d688d806f4bb8ad30e3fc93ffe871adcc275f8375688593b518979c0d02f2a3efeb5821ec25

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
e0fb596248352da59a37b6ffed0c9438

SHA1
c8626720ca47bf616334a84f5eb4a4fa8ac86ccc

SHA256
f6ce40eeee105bcf1d3934061d96d72eab51c7e88c1fdcdd00566935f67f1b0f

SHA512
3109dc8df3cebff4d5517ab079f08262f0a9853ce22ef2aa2de059af7bef2422e659ae8308367d6ffec587e9c1df018cb62e408659bdc0b1e3eed866d797a95d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
aba63fa54f862c9649faf02739a29898

SHA1
c8520fce97a8db5424c8ab772dc6d267b2294e77

SHA256
e0089008af565add1210e8e0864f77f1985944ee78195f75659d54fc0abf2fe4

SHA512
972a4911bf0965d9dde42fd3f1145ca639a5a68e363639d524256484c0d372f880fbe298964fa7c962a3359a7cbda753392a1721bb1543215a3caf8c0dbdf93a

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
8323eb783d4b3475bc1107f7b22fe30a

SHA1
8b61ba2d4ceddcce64913e45b0b3aaedba641153

SHA256
b04e4a8229ad76f418899a184586a34f1da04653efdd8f0386b76fe7282bd7c4

SHA512
a6e5fa59549dd9f848741b7c5e0e99e3efd1ac639e61a1a430fe7a62e6f13bf625fc22d619b29e9319f0bddd46eda6bd61057d4afcde7c846a72bf6e4ef79972

Download Submit
memory/224-176-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/524-340-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1724-67-0x0000000000DE0000-0x0000000000E40000-memory.dmp

Filesize
384KB

Download
memory/1724-61-0x0000000000DE0000-0x0000000000E40000-memory.dmp

Filesize
384KB

Download
memory/1724-55-0x0000000000DE0000-0x0000000000E40000-memory.dmp

Filesize
384KB

Download
memory/1724-63-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1724-69-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2288-339-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/2288-27-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2288-40-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/2288-33-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2300-343-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2504-180-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2504-76-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/2504-70-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/2504-66-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2656-157-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2656-11-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/2656-17-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2656-20-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/2856-347-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2872-212-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/3276-211-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3276-621-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3320-670-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/3320-158-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/3360-127-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/3488-706-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/3488-349-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/4152-341-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/4384-175-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/4500-5-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/4500-22-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/4500-36-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4500-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4500-6-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/4580-673-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4580-213-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4636-248-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4752-354-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4752-707-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4836-662-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/4836-137-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/5040-92-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/5040-104-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/5052-80-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5052-90-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5052-532-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5052-86-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5064-348-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5104-50-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/5104-52-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/5104-44-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/5420-712-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5420-527-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5712-591-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5712-510-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5972-580-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5972-544-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6028-713-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6028-562-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download