aa5375e268f2cff72e2e57273ef81cd3f656dcc253c1c1887cdde2a6592a496c

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08/06/2024, 11:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
Size

5.5MB
MD5

c2a5a273ec2ac1439ee689858e7b010c
SHA1

8aeb54bb3b8bd0f0218eeca47db27b0b3ce8c628
SHA256

aa5375e268f2cff72e2e57273ef81cd3f656dcc253c1c1887cdde2a6592a496c
SHA512

67c19c0b58c073169ed3d2865f95f9558eb23396766f845b3fbeacb86224413cacf19823152ae030c8f6def525e2748beef0d2a272bb67eb61689f3fe8dc25f3
SSDEEP

49152:iEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfg:oAI5pAdVJn9tbnR1VgBVm2qo4w

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
1088	alg.exe
2328	elevation_service.exe
4680	elevation_service.exe
904	maintenanceservice.exe
4636	OSE.EXE
3520	chrmstp.exe
4840	chrmstp.exe
816	chrmstp.exe
3460	chrmstp.exe
1896	DiagnosticsHub.StandardCollector.Service.exe
5012	fxssvc.exe
540	msdtc.exe
3756	PerceptionSimulationService.exe
220	perfhost.exe
2816	locator.exe
2464	SensorDataService.exe
4532	snmptrap.exe
2424	spectrum.exe
2560	ssh-agent.exe
1240	TieringEngineService.exe
1380	AgentService.exe
1224	vds.exe
1768	vssvc.exe
4580	wbengine.exe
5012	WmiApSrv.exe
5184	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c8aac1651ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{38ACDD0D-FF02-4A34-B36C-7A103582B8C1}\chrome_installer.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b550deb89ab9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000032b3e0b89ab9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b4f9a8b99ab9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006533c3b99ab9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002254a0b89ab9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a97604b99ab9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000044ec19b99ab9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d3aa9ab99ab9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002404b1b89ab9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133623212355303676"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000caf19db89ab9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2140	chrome.exe
2140	chrome.exe
5880	chrome.exe
5880	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	396	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeDebugPrivilege	1088	alg.exe
Token: SeDebugPrivilege	1088	alg.exe
Token: SeDebugPrivilege	1088	alg.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
816	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 2892	396	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe	81
PID 396 wrote to memory of 2892	396	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe	81
PID 396 wrote to memory of 2140	396	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe	83
PID 396 wrote to memory of 2140	396	2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe	83
PID 2140 wrote to memory of 1624	2140	chrome.exe	84
PID 2140 wrote to memory of 1624	2140	chrome.exe	84
PID 2140 wrote to memory of 1776	2140	chrome.exe	90
PID 2140 wrote to memory of 1776	2140	chrome.exe	90
PID 2140 wrote to memory of 1776	2140	chrome.exe	90
PID 2140 wrote to memory of 1776	2140	chrome.exe	90
PID 2140 wrote to memory of 1776	2140	chrome.exe	90
PID 2140 wrote to memory of 1776	2140	chrome.exe	90
PID 2140 wrote to memory of 1776	2140	chrome.exe	90
PID 2140 wrote to memory of 1776	2140	chrome.exe	90
PID 2140 wrote to memory of 1776	2140	chrome.exe	90
PID 2140 wrote to memory of 1776	2140	chrome.exe	90
PID 2140 wrote to memory of 1776	2140	chrome.exe	90
PID 2140 wrote to memory of 1776	2140	chrome.exe	90
PID 2140 wrote to memory of 1776	2140	chrome.exe	90
PID 2140 wrote to memory of 1776	2140	chrome.exe	90
PID 2140 wrote to memory of 1776	2140	chrome.exe	90
PID 2140 wrote to memory of 1776	2140	chrome.exe	90
PID 2140 wrote to memory of 1776	2140	chrome.exe	90
PID 2140 wrote to memory of 1776	2140	chrome.exe	90
PID 2140 wrote to memory of 1776	2140	chrome.exe	90
PID 2140 wrote to memory of 1776	2140	chrome.exe	90
PID 2140 wrote to memory of 1776	2140	chrome.exe	90
PID 2140 wrote to memory of 1776	2140	chrome.exe	90
PID 2140 wrote to memory of 1776	2140	chrome.exe	90
PID 2140 wrote to memory of 1776	2140	chrome.exe	90
PID 2140 wrote to memory of 1776	2140	chrome.exe	90
PID 2140 wrote to memory of 1776	2140	chrome.exe	90
PID 2140 wrote to memory of 1776	2140	chrome.exe	90
PID 2140 wrote to memory of 1776	2140	chrome.exe	90
PID 2140 wrote to memory of 1776	2140	chrome.exe	90
PID 2140 wrote to memory of 1776	2140	chrome.exe	90
PID 2140 wrote to memory of 1776	2140	chrome.exe	90
PID 2140 wrote to memory of 2380	2140	chrome.exe	91
PID 2140 wrote to memory of 2380	2140	chrome.exe	91
PID 2140 wrote to memory of 5072	2140	chrome.exe	92
PID 2140 wrote to memory of 5072	2140	chrome.exe	92
PID 2140 wrote to memory of 5072	2140	chrome.exe	92
PID 2140 wrote to memory of 5072	2140	chrome.exe	92
PID 2140 wrote to memory of 5072	2140	chrome.exe	92
PID 2140 wrote to memory of 5072	2140	chrome.exe	92
PID 2140 wrote to memory of 5072	2140	chrome.exe	92
PID 2140 wrote to memory of 5072	2140	chrome.exe	92
PID 2140 wrote to memory of 5072	2140	chrome.exe	92
PID 2140 wrote to memory of 5072	2140	chrome.exe	92
PID 2140 wrote to memory of 5072	2140	chrome.exe	92
PID 2140 wrote to memory of 5072	2140	chrome.exe	92
PID 2140 wrote to memory of 5072	2140	chrome.exe	92
PID 2140 wrote to memory of 5072	2140	chrome.exe	92
PID 2140 wrote to memory of 5072	2140	chrome.exe	92
PID 2140 wrote to memory of 5072	2140	chrome.exe	92
PID 2140 wrote to memory of 5072	2140	chrome.exe	92
PID 2140 wrote to memory of 5072	2140	chrome.exe	92
PID 2140 wrote to memory of 5072	2140	chrome.exe	92
PID 2140 wrote to memory of 5072	2140	chrome.exe	92
PID 2140 wrote to memory of 5072	2140	chrome.exe	92
PID 2140 wrote to memory of 5072	2140	chrome.exe	92
PID 2140 wrote to memory of 5072	2140	chrome.exe	92
PID 2140 wrote to memory of 5072	2140	chrome.exe	92
PID 2140 wrote to memory of 5072	2140	chrome.exe	92

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:396
- C:\Users\Admin\AppData\Local\Temp\2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-08_c2a5a273ec2ac1439ee689858e7b010c_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb5336ab58,0x7ffb5336ab68,0x7ffb5336ab78
    3⤵
    PID:1624
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1776,i,643490185638235481,4993009134051197802,131072 /prefetch:2
    3⤵
    PID:1776
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1776,i,643490185638235481,4993009134051197802,131072 /prefetch:8
    3⤵
    PID:2380
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2096 --field-trial-handle=1776,i,643490185638235481,4993009134051197802,131072 /prefetch:8
    3⤵
    PID:5072
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1776,i,643490185638235481,4993009134051197802,131072 /prefetch:1
    3⤵
    PID:1232
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1776,i,643490185638235481,4993009134051197802,131072 /prefetch:1
    3⤵
    PID:860
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4384 --field-trial-handle=1776,i,643490185638235481,4993009134051197802,131072 /prefetch:1
    3⤵
    PID:2932
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4556 --field-trial-handle=1776,i,643490185638235481,4993009134051197802,131072 /prefetch:8
    3⤵
    PID:1560
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4280 --field-trial-handle=1776,i,643490185638235481,4993009134051197802,131072 /prefetch:8
    3⤵
    PID:1636
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4564 --field-trial-handle=1776,i,643490185638235481,4993009134051197802,131072 /prefetch:8
    3⤵
    PID:1352
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4828 --field-trial-handle=1776,i,643490185638235481,4993009134051197802,131072 /prefetch:8
    3⤵
    PID:336
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:3520
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:4840
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:816
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:3460
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 --field-trial-handle=1776,i,643490185638235481,4993009134051197802,131072 /prefetch:8
    3⤵
    PID:4300
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=736 --field-trial-handle=1776,i,643490185638235481,4993009134051197802,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5880

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2328

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4680

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:904

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4636

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1896

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3552

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5012

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:540

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3756

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:220

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2816

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2464

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4532

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2424

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3556

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1240

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
PID:1380

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1224

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
PID:1768

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
PID:4580

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5012

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
PID:5184
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5604
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
5f33be7192d39143be1b1ef8ec155cc2

SHA1
09e6f03448a74baa161aa6fe31171817599a7943

SHA256
3aae5ff76e209a193717db027c7d9662d56a2cb230ea29d168244a0e766928d4

SHA512
0dbc9b2e67c57283156e8813cf1fca6f194c75186f125c17a70e653b305360b90ddd42de10fb143994d9da8a14451b70f6d25778c45e630af2ad30bfddbc603f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
94cee9fff7b55fa0810b68d6ae776f76

SHA1
e14315be2d0e2f626216a766217026ace7b5dbf6

SHA256
c6cf35c97cf611ffc7651846348f6ba6cb70ca21ae9c75862450826594832d66

SHA512
5e3db1a942b2e4fa091eeb8f5e6fd2ed794e7d4f23637e033d76322d4a863f2c5d7c14cbfce3e16165b9a2c9368323231161e416487028ac19a8526f22b7496f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
67c233c5b4174c381893e842222f7ccf

SHA1
91c85e1569ce86a2f2f1453520b031c24f5ee09f

SHA256
240f59168c49620e575dcc13ae067a58f589ca9b87fd13a702208adf18f2a07e

SHA512
624980bd50d83e454774dd3bde25cfdb262b622eef2b0b15a6d631686afec9fdc3307e558a56575f0c1de81c0ccb3c7ebbef5ae7ade1209b078d178d10a66fe3

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
5f5349a71bc7bcf235ca826be7002fcc

SHA1
5b576e8e1759505dd459b32be0e916f314204e24

SHA256
887506b3eaa5061130cee4f9ddc34d0b2b85ab2db77e1c59e5332ec5bf41c33e

SHA512
f6f3daff6a09cb22d00774b32a2e557abe5e30bbfa8423e3eb0986c669e0f9897e98844b91b1725489b2c03850e5d59a56986562a02a856639e4b105d9aa0241

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d8afbe1169f558ea371d8c9543a6b696

SHA1
43814f3d28ef694319e52e8e7d318a72fb1b7bb5

SHA256
fd23822fba4a66aa23cb612272354148a8412e4043f10494ad31f6c338f19e5d

SHA512
e23f5edee987cf23be6111325374e9279d244d5c0dc5a4513f8e693e8cc65ea2e182820adba8d37e7cea1b074314ee557d67164df6d18ed8aa6ba64cca1e41f9

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
79071a91bce2bc985cbfb42eb7d48105

SHA1
d8373910f304aa18d8b21dd93fd973e35034e15e

SHA256
b83b994e4beb95bf2ddb594c58de4911b6214a63dda5c225903575a85664a62b

SHA512
ff598185e14add5caf8eb43a5b8e5e99743ae293c766a372c3c6153c31c49e35354350dde21fb6d55af21864c376cb7a962b9e4153e1cf820bdcbe0fd4e00a6c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
2060cf834f837728134364752826e452

SHA1
bd001f52ebf5e26049a76c9041b10c177796b5d5

SHA256
4535013816859ac00d8dbe551c10896e26ef478392988ab5ab85ea4593c36eb5

SHA512
0882f3787b4e26ac09a8a04006e1dc49bb64399c8525ba9ee4b5f57a8c76d8e2b27fc49f917e57400494a14531f7c71af45ccdd05ed41eb59e8b0be673644693

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
32f9ca2293888be540051bba2bd70165

SHA1
6fa304f119bbc8b83cf0244b3237e2b975b24202

SHA256
ec59020db36df0b40a5c982ac1d724acb045623d2a4ed38bbf4315e4e669336f

SHA512
2eb0026f9f0cd9388808335ce3d527376b3ad511773121dd2383a1ae9384fd6a3a5f9400df00a6a175af8f722f61393f3780e82666ba753b05b63022e8f18809

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
50f20cf506c5698ccfd319866048f613

SHA1
148f7f28aea2b0b92b9055b6ea204a649bf6a508

SHA256
6ab3385a6f5430b359534956282052bf7fdbb5d42358e66e42854530c2c91394

SHA512
510830928b528c3cdd9352fbae939d1f310f242fe2daef856d9a5b99f1cb736c395eeac3e810c7cda611db3a2d807f6e5d15caa738388602d3841c6de0036b1e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
737f72c9ee1b804a08686930573d0ffc

SHA1
cd5d6a8c7fa341de5dcc9df7c4d4426eb3a52a77

SHA256
2cedd3248276af2b545d9e26a756cbf51465a2148945bfc9c601153adb815f2e

SHA512
75c10546b2ce9690775290f48bf46faf89aea1feeed56ec85ba293fd24294b2152d5cb94e89ca204aef2980290b7a361ef44e15ce636a1a68d9867657ad163df

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
707416794b2adcb4550611396b2eb828

SHA1
f87f85eed05def0ec6f813412ba36233bdf9ae38

SHA256
52a2779218369dcae1bf426fda3b45c29431564e071e3de365518470fbd2c422

SHA512
c48a96f0b2eca1faeaff788bc83c7c61284b8872cea50252dc99a48bc88cf4eba74c39a3deb26056a44450b86906c9ac4dbad1025a380367a1cea08ee5bd6523

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
5986865b39fb1d28319dfd727119a53f

SHA1
fb4d867b69bdf27f5eb84145029d875947b1788b

SHA256
d562e48f823cd8ccb3b2a7820348a9525bddd8b1d93e759de402866b6f25b5fa

SHA512
3e3f569f52df11a00efcc03bf28fb91cadb5a11382b8076ade8b3b19eeea13fb512233647bd02363be6b9919c10bcc6aa1b03e74a1aefd205ddd0a516cbada51

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
31417a3783b12788cd09fa008888e41a

SHA1
68330c4d421a5514a3b7d2c6b723e507caac03a2

SHA256
7c1a5685747858a15e54e48300a9d20033af864af7c2097603ac8d7953df1e2d

SHA512
a25b760315688f58b06f14e011a7712274cce1a5cdd7f76dd74cab11d338fbbf90b6f77fc604d182f335edf8b464c91c99f98b21ad2769c82bfc1cbcfc32aa7f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
2ee3b2b2bea590019f724809d1a179b3

SHA1
ee8049e1b5b481ea917e76547ab61731d9ef7c22

SHA256
df355ed028f1d50d2eb6383de85585c92b64c4f9a4d876fb9db6c3b4a150141c

SHA512
99f5c63e6395f63801f291b4350aa31529a706423cde2f08bc7c6258cc24529f46df6af599065f4511f8b568600c3b504fb615896ab0bdce9894cacbaa1657e8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
3c2ffac3c5906f425eaec9d20b8f8c3c

SHA1
f985248a43083f6a70f29e34d7a080a6c2ecbccb

SHA256
bd2eb78d22a025fb9833ef72d4e135a32c686f023d969e858d35cf4f9229c9ce

SHA512
4bdc6b50d28b7dd2ac6111ff24a9ee1b84e4b4db0648b1a86dc34c45e90db8772836cb7cb75640566910d7c3f07243e77bc09bbe9416f5446ff7a2be08cf53fe

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
73ab9eb573a13719d7253bf21f553c4d

SHA1
66994c4c07d879a9882edc4d1da7a66b46a79099

SHA256
fa4e846f671d11c32a40cd9fe163c34d584daf75097905a4405e3cc80ed070f7

SHA512
e543e5e732a5b216d7ae804dee28c2bf2bc4ee0c7d056f10e4460ffd4d83dad60cbe121d207f445f0c33c7aba152a411e14a5c2927440697ceb7aed71f122ea1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
4e56243a905abca9f8e7398c4addf8fa

SHA1
33f3a0ca295a5de15bc27911c5462670ea773fa2

SHA256
91650b8438e74bcb7a7563d4c2ab4a1cfe5715a69cd41572cfd771654499afae

SHA512
235f7c422b407b286fffff1d9cc98a1069f1d474f8e60575d9779cfc3c85597e878994b637d085760d27c450a632cabae63fc8aa88f79b5caecfefe154b7fe29

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
6cf90bb6c3ac497b5a6df29d3f9601d8

SHA1
cebeefd8c16010f455cc9d7ef910f10a38284794

SHA256
d81223ece016615cc4c66e7055119e2919acd23297c7d46d4274a3bc4c9a206f

SHA512
10b72ddfdb4e7e506bfa07a8f05a16308cb4697b8ba9136540d3c13ba831ea331e12a32cafe8f1cf6742ac8fb7f1cb3caa8f3995df1470c8643e404b1ff8de63

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
710f93d2337f0d54dd3da35bb8934854

SHA1
942197f46d7f9412d3c844b809e46b4e8d37a942

SHA256
0737d2392bad5063c043cb63549d123c657ade1f722521c2a05be05b317cda69

SHA512
9fe78cd8b4921bbd6d9e5a97003d94429200aa6d1705ddd9c29bbf702be3f8d9b4aaf95429021fd19328174e32daec54c6d244247722f4dcfe4ad366a8f765cb

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\d7ce9dcc-bd7b-495d-af49-85ad3d2a501e.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
a9a012788584e3a46d233acdede5e71c

SHA1
a340d961aa089e877c9a1553774042f32fa8545d

SHA256
73ca647afe1553360fafeea4b2f3c75ae4e93992581ae82cf3960c86faa5cfcc

SHA512
91e79bd7cc3403b03f1a047c9ae80768ae89ef519ae0b7e4b2c10acecd847b0279ebdb6d18f06f26c0bdd733e5da229ec47a5c5748d5f922dca6cdcf2efabb1b

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
1433abbde4ee9d0bd8a1b33d7a22b784

SHA1
7b80f1c2bf95d18767c2b5d51f252791738276d2

SHA256
7cc85a7a47f11ba14e7b27540c46e7975d3e1ea1f5a261ab8fef93cade0b0a63

SHA512
fb936a5ea98ac7940f0f9e810cedc987579c627dac34e7e63cb9c6a1757ed0951d737eba2841746777b3d7e023202e13756e372e2e1bbe53947b483315d4522d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
0cd429098412849541cb95afaf497de7

SHA1
34fcdc8c1708981ab8e69a9ccc50ab898d7f7df3

SHA256
d987cb1f82d1cfa20deebd5947b3ce1b9ae9ca25cb7df736727c507a3a17700a

SHA512
955809ff9150048d9b739222dfe4c1cc7b4f330cab2858b74ba1b8af8514f1d97268812c0ef81a3d926c9928fab845515a0fbd834a8dd1d0db39359001ce5f03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
8ac74c9472380fff159f54cab1799ad5

SHA1
5cb39bed1b552b4022993e54592de05d37cb7e6a

SHA256
a16bc11180b68560d124c8c5bfe103ce1bd45ab1f8ac96e5dc327b05f3507f05

SHA512
f6ca2ab954ad63bc19f7e2142500f432c6774ecc161ec1dae6bf3396461dee620f542827303df26e8df904c6b7ddc0c69cf185ea2ecfbf9fa4c4b83c538b10e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
3131384b69437b731c84bfc5128c6c30

SHA1
25b9082cf243bce8bf833fe2f918f54285ff9c37

SHA256
f2299c41c7450aea140fcd7236207199ed2c03f38834dec715b529d0bfc7fca1

SHA512
ea3040dc0649410bbba6c531f592327e95ee4c4dfe93737b16a0805bbc0cb826e3ca0bc30367e8d70fbf447f119b4711c45272b2fa2c8e24abe5052f6947a6fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e2e4e6264bf8c320fb2768f45fccbe13

SHA1
4a25550d59899c0f75c33794ffafb82253d56c41

SHA256
ef2366ef7570ea2071f678ff92e30fe4c0ce5500ce0fdbf1dd162ef0614cd9bd

SHA512
c00666dff58edd707c07b36f4b26464a574c002fc3b0eef041aa86d85d7da138a1d0124d43385f9145ada7238305ab6340483d500f021dabd611937a6ad26406

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe577455.TMP

Filesize
2KB

MD5
411ac782e18a3f8947b5bbdc13773829

SHA1
d9a709bb6b79ade9df4024e8fb6e36190070bc21

SHA256
0217b1195d87db614149675e331d00b581206641c58f6c7cd8cadb92e718f8cb

SHA512
03cff6f4f72f375b34a35df614de1c0837ec423b3b232e5b863a2d85ccb2f2bc025d1954ae0ba9d117930a84e7fd1b44bc82b488e5acd58370c36e9c24717d5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
c85b41767d9ef83cfc3d4074b75a5b77

SHA1
96f7816eff6d66a0ab6008d3cd9df4a0acd7275b

SHA256
e52b20aa4b0346a31a48d0d36f76f0789dd6c0b6b66c3982c2f5598bbca1deaf

SHA512
58c752dd95e7873fbc4418cdb747d66761a7422ea2f2c18c357cc5c226803f7c559a2d978fbb27eba0e9a0180e05af8ea1c670cb9642d7ff0882a2c4c08da6d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
263KB

MD5
ec2694f7366b6af20d8e4056d3789ecd

SHA1
1870222706dbd08152554a95c3e0b497231350f0

SHA256
96ab41bdb4e951be700673ccc18044fc35486b05d2429cf9a3e645a69bfccbdc

SHA512
4b5c29de7af730ea406ee0c9827736aa4276e2a6be61f36e2043adb524b2f3d923646d34419ac18486f5c2bf4357b7602a3ff749ef43a6a2bfd8272d9f1b9f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
fb14afea6658f81ac1e0d397cc3e5dd6

SHA1
781da893f2a248a30eb90e62f21f803a1a037ea7

SHA256
f4ff2b995043f8ae5f59873308fd827706cc703c4d3b43c033b68328553b4879

SHA512
4b3da5a301d8b9e2c758f61c5b832a3e87f809a9fc4d61dff5be4fecfbd5e0a76fde9dd3bb4b63f6d1cf490c8022c0c056bcc58a637a9ce7b91d296fb48c4e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
642a3022641a7423da112b6065be63bc

SHA1
3945cf1044119deadfcbb5e4f5bd8e15cb1fb974

SHA256
90bf866d381bdbe76fc23b1b5211094f781165f3c10e7c08ccec9bb1a10a5fa4

SHA512
2f226c106d407927c4358c51be8b32ab4d282f19f41b6ff06037a4abeedc065d8ce2ccd2e5fb3445fa03972d4720d97daf4e5119c594aa283524a320f25f9ffa

Download Submit
C:\Users\Admin\AppData\Roaming\c8aac1651ed82f9f.bin

Filesize
12KB

MD5
e868d297c9fa75e22862e4b1dd7628f0

SHA1
9352353820005326b30b75b9712aaf821bd06da3

SHA256
5df4df7d2b60ca758d060f57b7c893edfbf5592cbad73f18579fa3dfb7442f92

SHA512
b5aa721076214731789b8adceef12ad5e8d789ed71bf7efde817aa0bdb01d0dc9d32c2834c7b5b0957ad8e1105785589d059c21574ebbd85a9f92e021ae310fd

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
07877b008ba34d815b753c41b78fde1b

SHA1
a3d3ab45ee747f8aec6ddaf1b01b6ad8c340fe92

SHA256
379af20b8bd7b6fa88b403715a761445fd4a3856b8312cb3bfbe917d44e17ff7

SHA512
3b9106670f74905d0d04afd9179940e64f0729f83e2d129e71afb0d64c8bf639f5ab8b06281b738dfce3095bd27d5ec93dfeeb61cdbf1e2a353a098386ff2093

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
3322c9bd09d12b529b0e781e79a53926

SHA1
4e2b2fde3135bb7bc74895550ce245863735bd4b

SHA256
e17f8afd91d31912eae38a278eda84c7763489adbc9895515bdefca5295b27da

SHA512
e5237c3739dfbeda40e272431a8ae874fcddb84d915c19d4fe684707ad8dca3b2a83bb2a44c2a842752773b1b0ae4e87af8a95b48ed1fa855301d7142c3a5f99

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
0b2707d4de94050192bcf7db50def7ca

SHA1
54099cbc645d0b83d2342aba3226759131c0797d

SHA256
3b99dba516f4daa48fab6c8fbf408a95bc71aa58fdd422c0859e331e7fbed2ca

SHA512
6c51252b9f5e0c578b01dc78eafeecf1f888f6f5be86a75114f6817b97949d528b2690d58744475e092d656f0039bc6b84a70692da1a9aadfb269bc169d8d7e6

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
26ff7bdcdb1da15fd8fecda9d99eb61a

SHA1
3869ea6d06d877c6596c083f428d432e7d822354

SHA256
c53b4c8e4e1237a6605a7f668b9c6f1ffbdc795c84f14ea70c06bb7fae14931b

SHA512
f397c70533b6fabc7052a55913982e5956c76eb10e4f29e6c53f52bb56997431a30c77a04b8296f9a647a7d6d9e34c47ff4ba1e426075ce50bcf7df1df938859

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
bb90f3de68b5cacc4f1bcae18ccd780a

SHA1
6a9ba19a77b7d006131b25c1509f605144b2616d

SHA256
b8a99cd49c1d942be6821f694c5284a148890acd81c95e192a84e4574d5d70a4

SHA512
2bc37490e7da0251ce28dde6681033d2e4e071391baeb67cc4113a36f8ec3a13925971127a00654df2e0bc8c143642b2895917b71a5abb39c534f5fa3c83af6a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
65ad87412bb08b07d0298811d9321db1

SHA1
e5beff31ca69ba769c2a8d12dbdfe16a53a972ca

SHA256
27bfcf9f869917fb73fc7a354964b46e77a018c3b96c2030ae8ee2e0a85931f0

SHA512
19668d0e2125f97b5c8e8bf2a6237fa14216b5873b1645ec3b4cae65a3725850a704dc973fc75b6d92f4d3c142eb0b6c7b79194f56a6caf7ab380ef63f4de94d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
4bd533c9771e428ea39583f6f1a83756

SHA1
ea9b41248ba6a57e8487b1598d3b5de34b01e537

SHA256
437834fe710574039091856c31f6ea32913ed3808c694ddd48a14c8cf5aa4df3

SHA512
32a7ab75bf0535a8dc2b89ad2be61125884a7248ca6962c7d0e32f0240b40dd38c5c989af32a817094306f14f5746cc2fda564d5ca1d75747446a7d4dbc951a3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
2fe3db0d9b1c5f7892693f52190b62f4

SHA1
d1a04c1974e805823b9a079d3f6fda2b24b3fd10

SHA256
5e20a423afabbfb676593d6ac65b1072ed1a7b0420f48cff528c39b51a079890

SHA512
c3daf2d838d7c0ece65ac1bc507f6d2ea56c6900a5c984b977598f029804a7b8a14dcd27adfa978087b231eef15f3659dc13dbfcd6fd1f2dc973cd66570e822c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
04c101be5694da7fab9c5495e2468c9f

SHA1
7cb21f2e8e35c488de9bc7f5120afd4d0b436d4d

SHA256
353da14e8bae90eedefd295cf70a043a24fc59b0fd60cece926c2097d25ea85f

SHA512
8677ee57d314c72093567f87ea703427360e868fe98d629e05bf2af85cf5fa1a55e9996b380eaeddb1ae18bbf048c9b156ed021e5277753dbf3a66cdcc26ffcf

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a2f644ee585bcc501caf15da44448579

SHA1
364d692bf226ccee5c0d1f94363824868b6d6993

SHA256
2d5e7e98e1d187c91b0cb9d8f61f8ffa57c15266ba3cd19c0b5c8f330ed00859

SHA512
9922588bed73c7b5147f82eb4689d671d2b1a0030661bb4c76d8734f85a90693e433b01ba0230597d428f376d523a0a0d7f0ee4731987b4d7c7f2b0ceb98ecf1

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
7bdb7c38e1589428b653e85f2cc684af

SHA1
ec7beb2c73d3d741707602dc367961d2e0640099

SHA256
f49dd2d674c25dae8235737ab619051330d3e42eea2f502856cf062d6fb28754

SHA512
005e702d3a10acc959e2684bab74fd0066ff35b10a3da4838d93072b5b362d78fd5079a0d759e8d3222089b3705ad3fb1138719ba2877d674b9ef46972a5ae0c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
effce6dbc0e339c4e52a5d6e3df1e112

SHA1
8923a5c1c491e12bb09626e0b48a02744c5787cf

SHA256
86733a90dff7ba3b3e61352c2632688a1c3ebbb450b70bafd1e629de0735e7c8

SHA512
242bbd7d4f73ba194d326d8615d2129610a55d096e6450ea8be9fb1198be4a5766106f3717bbfc4f0cda72739fbbde73fc29b0e2d469bf068266741d9ce89d53

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
633edadba8ec34066999e01b798395b6

SHA1
5ba512472fc569e45ba78ad774a88e767e08cbb6

SHA256
10a0a73769f3d0c326190872d2429d9b30aa3268269e36af30d80b94ceb3c4ad

SHA512
a42215776d228aadc5b5d5c2310ba69ae9c0617f1e92f769bac8e8fc7770c71c6de1384751f9748a2b57ca158b6e08856322e81a4fec8226c395aada515bd1fa

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
7c7d40339074510950f638365467877c

SHA1
3620333333031c07d23167b5c92698ecd8b31095

SHA256
976086656353fca462ae9614d1a897595a4331d285e93adedf395e6e685037b0

SHA512
927c5367b9f4f1bcf88dc5114f849c4abcc19f693d512dfa03c1ad67593c43efa31c97f11a30dee196c1a8783d016e321617168511b6fd3938179246415ab162

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
61b7a33f47a64cc02bffddf6127351c9

SHA1
cfc2e99fba5e986064ddd5978fb3a0728b9fa394

SHA256
3c9e065c98cc18c4f3f295385e8b7deeda7a76f8a9acae17f22ae776af03f96e

SHA512
affa5c1842abdce5bc9184769170d93ec9b82870ac3d2fba46ae5b46d21485d56322b1251df35a62bf77a9e04f32a48cf5e46a438e7744f0f640adfce99b7e5b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
93f5d6f58bd3d1672fd99991c092249d

SHA1
5d692b5121542f1bea67f9473bb7a4b115a1748d

SHA256
afffb4f2a60b000a61451768883c9f36bc8b72bc01c5e97e1ef8002dc0f1c3df

SHA512
46c2d0b9df93cf872564e7917ce7a67d386bb145f1b0783b11986785f445eedcfcee9151bb59dbee3ef9c7ae98fee80f6310158cfb19a9ecfaa6466bd96f6b4d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
8b5ede6e5b92ea23642719c1f1c84aea

SHA1
649ae401f5079b5053cefa3be4a1c486c2e42060

SHA256
fc022255cd352923276898cc0fead478d36acb459f33611562593030b8927ef1

SHA512
8073e0a47e5ba321b6ff9157133094d04323cc585f4ed22a0b378eb97f34ab5686bc1eb49ab16e34fcc6c06ec3960b42cc17df6ee0d5f6bc93c918daba59eefb

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
140d319205eebe759bb519047a3e9fed

SHA1
d189c1c570204710b33bc6fbd6717cb89659672d

SHA256
1a7e1bda5a86c1dbd291a4dee7d0660666f4e28e2fe269adbac122a918fc452a

SHA512
cd87ef119a1c7e987563553b29440b6c202282930d23099aa568e604103e603da7a83203eda12ef949f94776ed778abb3d3004b5830207150e8cdc6bbd8e0723

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
4d858969f9b63ec4e90b337affb40980

SHA1
c5f517b47ddc66cf8fe32495fe14e425f905c252

SHA256
d228412aca7296096c2db6c01dfe1e83ca0db6a7fc2512468473c94bbc3e50f9

SHA512
df058b39862395921f86ab56ac87eec0ed1adb201b988f3bae0fb037e14a1c33d842b7fac2354f0daabe15cf41c5b6757ed9971dc8237e7a5e9377314c6b972f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
66d971447f0eb4cc2d2156a77f491ba5

SHA1
1eb07176ad573b6054cc62f9e2baacd1fd264e7f

SHA256
8159842fd24e95f6f4990259fdb216cfc85257d9bfa3fcf4c91e285f3ed7e280

SHA512
226560555af25a7ed618f23c2824c90a8939050d3e66aa3de8839115e31b0128909676943a0ce438bacb21bc3a4d66c137acb13a805e3eb7d5aa1d8be4f763e8

Download Submit
memory/220-593-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/220-483-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/396-33-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/396-40-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/396-0-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/396-6-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/396-9-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/540-569-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/540-457-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/816-321-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/816-353-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/904-64-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/904-70-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/904-83-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/904-89-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1088-18-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1088-30-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1088-12-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1088-391-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1224-789-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1224-570-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1240-786-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1240-544-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1380-567-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1380-555-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1768-582-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1768-790-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1896-439-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2328-241-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2328-239-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2328-90-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2328-48-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2328-42-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2424-781-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2424-529-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2464-784-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2464-618-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2464-504-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2560-785-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2560-541-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2816-605-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2816-493-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2892-388-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2892-26-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2892-20-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2892-28-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3460-333-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3460-403-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3520-295-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3520-305-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3520-366-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3756-469-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3756-581-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4532-516-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4532-713-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4580-594-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4580-791-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4636-81-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4636-94-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4636-75-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4680-401-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4680-54-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4680-91-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4680-60-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4840-307-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4840-402-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5012-442-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5012-455-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5012-606-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5012-792-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5184-627-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5184-793-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download