e7e8230c65b736ff426d96a49c0cf869f4ecdea043b8cfeb27a136f300192e66

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
Size

5.3MB
MD5

74cdce28e58f609d0d37242f51e5650d
SHA1

23c46b87dbcd630d197180fd2ece5445490b141f
SHA256

e7e8230c65b736ff426d96a49c0cf869f4ecdea043b8cfeb27a136f300192e66
SHA512

cfdaa8ae306bfc034897199222a6c7692548a50cdeeea1df859d2dd143ff0eb8ee82d2cdfcf342e874d5d7848e887e99ecc44b4befebc65f1d7e3eeb11f4c502
SSDEEP

98304:ZLXClnwPWrDSVYg5MHKO6HCfyAo77wRGpj3:klnwPihg+ByAo/F9

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
4796	alg.exe
1052	DiagnosticsHub.StandardCollector.Service.exe
3332	fxssvc.exe
2216	elevation_service.exe
4184	elevation_service.exe
1736	maintenanceservice.exe
4832	msdtc.exe
2948	OSE.EXE
3000	PerceptionSimulationService.exe
3304	perfhost.exe
2700	locator.exe
3512	SensorDataService.exe
2592	snmptrap.exe
1144	spectrum.exe
5028	ssh-agent.exe
4964	TieringEngineService.exe
368	AgentService.exe
2324	vds.exe
2100	vssvc.exe
3392	wbengine.exe
816	WmiApSrv.exe
1148	SearchIndexer.exe
5796	chrmstp.exe
5944	chrmstp.exe
6044	chrmstp.exe
6112	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 26 IoCs

Processes:

2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exechrome.exemsdtc.exe2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f68b97827489627c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exechrmstp.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_101187\java.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	chrmstp.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exechrome.exeSearchFilterHost.exefxssvc.exeSearchIndexer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133587921925469630"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000a7c22da8199da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000057e8d0da8199da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3ee4cde8199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000c4027da8199da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b2d14da8199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000001759cda8199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b80d82da8199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid process

1656 chrome.exe
1656 chrome.exe
2360 chrome.exe
2360 chrome.exe
2360 chrome.exe
2360 chrome.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

1656 chrome.exe
1656 chrome.exe
1656 chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

pid	process
1656	chrome.exe
1656	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe

pid	process
660
660

pid	process
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4532	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
Token: SeTakeOwnershipPrivilege	2332	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
Token: SeAuditPrivilege	3332	fxssvc.exe
Token: SeRestorePrivilege	4964	TieringEngineService.exe
Token: SeManageVolumePrivilege	4964	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	368	AgentService.exe
Token: SeBackupPrivilege	2100	vssvc.exe
Token: SeRestorePrivilege	2100	vssvc.exe
Token: SeAuditPrivilege	2100	vssvc.exe
Token: SeBackupPrivilege	3392	wbengine.exe
Token: SeRestorePrivilege	3392	wbengine.exe
Token: SeSecurityPrivilege	3392	wbengine.exe
Token: 33	1148	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1148	SearchIndexer.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

1656 chrome.exe
1656 chrome.exe
1656 chrome.exe
6044 chrmstp.exe

pid	process
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
6044	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exechrome.exeSearchIndexer.exe

description	pid	process	target process
PID 4532 wrote to memory of 2332	4532	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
PID 4532 wrote to memory of 2332	4532	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
PID 4532 wrote to memory of 1656	4532	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe	chrome.exe
PID 4532 wrote to memory of 1656	4532	2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe	chrome.exe
PID 1656 wrote to memory of 2868	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 2868	1656	chrome.exe	chrome.exe
PID 1148 wrote to memory of 872	1148	SearchIndexer.exe	SearchProtocolHost.exe
PID 1148 wrote to memory of 872	1148	SearchIndexer.exe	SearchProtocolHost.exe
PID 1148 wrote to memory of 2264	1148	SearchIndexer.exe	SearchFilterHost.exe
PID 1148 wrote to memory of 2264	1148	SearchIndexer.exe	SearchFilterHost.exe
PID 1656 wrote to memory of 1720	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 1720	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 1720	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 1720	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 1720	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 1720	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 1720	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 1720	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 1720	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 1720	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 1720	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 1720	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 1720	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 1720	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 1720	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 1720	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 1720	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 1720	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 1720	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 1720	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 1720	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 1720	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 1720	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 1720	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 1720	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 1720	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 1720	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 1720	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 1720	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 1720	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 704	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 704	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 4636	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 4636	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 4636	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 4636	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 4636	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 4636	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 4636	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 4636	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 4636	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 4636	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 4636	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 4636	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 4636	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 4636	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 4636	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 4636	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 4636	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 4636	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 4636	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 4636	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 4636	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 4636	1656	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532

C:\Users\Admin\AppData\Local\Temp\2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_74cdce28e58f609d0d37242f51e5650d_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=109.0.5414.168 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140431148,0x140431158,0x140431168
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb784acc40,0x7ffb784acc4c,0x7ffb784acc58
3⤵
PID:2868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,8233991485280590722,3518876467126630867,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1900 /prefetch:2
3⤵
PID:1720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2144,i,8233991485280590722,3518876467126630867,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2192 /prefetch:3
3⤵
PID:704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,8233991485280590722,3518876467126630867,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2452 /prefetch:8
3⤵
PID:4636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3240,i,8233991485280590722,3518876467126630867,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3228 /prefetch:1
3⤵
PID:4344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3252,i,8233991485280590722,3518876467126630867,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3268 /prefetch:1
3⤵
PID:4932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4504,i,8233991485280590722,3518876467126630867,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4536 /prefetch:1
3⤵
PID:5256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4740,i,8233991485280590722,3518876467126630867,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4748 /prefetch:8
3⤵
PID:5776

C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5796

C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x2c4,0x2c8,0x2cc,0x2c0,0x2d0,0x140384698,0x1403846a4,0x1403846b0
4⤵
- Executes dropped EXE
PID:5944

C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\initial_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:6044

C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2a4,0x2d4,0x140384698,0x1403846a4,0x1403846b0
5⤵
- Executes dropped EXE
PID:6112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5012,i,8233991485280590722,3518876467126630867,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4828 /prefetch:8
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2360

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4796

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4492

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3332

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2216

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4184

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1736

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4832

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2948

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3000

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3304

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2700

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3512

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2592

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1144

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1592

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:368

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2324

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3392

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:816

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:872

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:2264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5844

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
03b2f5760db5d62bb39dbdd7a6e7aecc

SHA1
f75ffae2476d8294ea560b51724e6feb5472e878

SHA256
aa3fbd2e4ab2bea5e8c2c5c1f68414ee9b784e119365cc8bf939d1514c881278

SHA512
6e5efb38140680173d10a558490adae33e420b23194e8651a4cb08c45e10fe8230a8257446eb5117a9ceb5d54054a749da7c86427694d74f5acf9b29471dcdff

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.5MB

MD5
6dc7b8143dbf38775789c9770690595b

SHA1
f445c036ff90d2c6d429803aea4f7cc227693a62

SHA256
8f61d05e3518246cca6e07869a65e77ef51942f8c486fbaa8d33ee486f928cb2

SHA512
a746b8d82411d95d2901fd05a0100727da3b142b3967cf55a5908fbe831abdfbe59d14319d8505fee9ac51996ee69c367db85e2ba0303b1759c610d395717b60

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.5MB

MD5
ea12db1e12682366d0456c02f61e3d0a

SHA1
70a3fd7fee91ec9a70137f9872fbc0544712dd48

SHA256
a8315cf2cebb2db949e145e707c4024986895d8ce40b49b5d34d06a147bd3166

SHA512
b811ca4d35ebf811924566ea44725a866d29f9436832440b04310abc158b716868384377bc90ba53582f024033888e2798b217875a1858e58041c7c33002eb61

Download Submit
C:\Program Files\Crashpad\settings.dat
Filesize
40B

MD5
21051c2d2b882db5fd154d892912f80e

SHA1
efd828e31a80c5bfc0eeacce5e107bcbfcb4ac45

SHA256
bd26b7fc11b6811a1569980ded3004fd57ad9de98942460f30db817694b879ad

SHA512
5b8f81ce088beee3e198a65294d026952265795ce9d8bdd8b598a241905c14ba89110cafa9bb4b9af1d97c188b91149d6084ef7bf3b4cba320d6a39722f8f44e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
9dd8a3f17ed19b5f7259f7c7fd1569df

SHA1
43b66ba5f6c5afef1f281e5981774b2f692f7fdb

SHA256
f8920dc48923bbbed75df8665bed3b87f97aaac7cde28df608e34ca37bb70868

SHA512
3ed8f41f51d1b01a9452442bd990d3541160bd6ffefe23d5b6fdba463ee2e8114df296813c3d73b60a14e30f462f02c1ff5b45a6131fac0fca9da89bd9b7e3e6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
6b32e28092d21541b6cc5c73b5a1a767

SHA1
148df732380f6ea24d4274d957a14f80672cdc3e

SHA256
4a9b93c3439545f1c146abedbe8a109cbc3e5afc61aea24562aabe89d9d7ede9

SHA512
eb61b7559d430ce3a9e1d837f05823c82413e185df60f84c263761a719800efd2e86c818f95ea4d2e89fce988b9a8d8fbceb27a5e0d0810f871806db4ce592a5

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\a69a2be7-76fd-4d27-9bc8-b41a16c3d3a8.tmp
Filesize
520B

MD5
d7bdecbddac6262e516e22a4d6f24f0b

SHA1
1a633ee43641fa78fbe959d13fa18654fd4a90be

SHA256
db3be7c6d81b2387c39b32d15c096173022cccee1015571dd3e09f2a69b508a9

SHA512
1e72db18de776fe264db3052ce9a842c9766a720a9119fc6605f795c36d4c7bf8f77680c5564f36e591368ccd354104a7412f267c4157f04c4926bce51aeeaa1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\0d133f51-3dc3-4ba8-81da-cb75da1dec04.tmp
Filesize
77KB

MD5
b956b048c9928c44889893ea412b1a21

SHA1
15d873c289c2a8e472ac128177e25ca91136e6d3

SHA256
68f399072081c055be024ae3bc55ae9d9eb518541b12c8a1c7daf5a41c2cd8a2

SHA512
b097b09020645de07d4508340a6d1c3dee5af323cfb38b773f43cac0937a3f2429fee8193f34415041c0d3f2067b54ecb92233b4901dca88907cd396e090b2cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
d363bac5b27719e2e5f858a1ec056004

SHA1
6c7dc32bf0d4c526896e91b08f79671c63101702

SHA256
a06579491c750d6143401a0a3fcd3dd3645d74aa166ca0046d634aeb54608e31

SHA512
858adfa49067362306c2395c4a9e51a00352b1c1cfd6c38c4476356b319bd721ae946b2f25ee56d80c34ed896508158f8f43eb551f91e441dc3ba1f352a36dfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\28a442ac-f1b3-4f8f-9bc4-92cc9e2a0760.tmp
Filesize
649B

MD5
ea617517c7b57f228af6133e2e1e404c

SHA1
22007dc922e49357e683bf637e5afed79fcd3166

SHA256
1e6912beacea2e638f071e279cdfd7c39eafa7427cbe105b26dc7c5599c5756e

SHA512
92fed1ca5b8f782810f8b1bc6154cb67fb1407a2fdb1a0636cdc660f3ad06cb23129887c0b5edd2d5b4040894abbc228a5b3a9825755bad20f76978ec00d4f11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
192KB

MD5
a8cf54419129b874864cf206392ece0f

SHA1
2d8f78e5d6951faedba3257d5794227f34c50967

SHA256
b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f

SHA512
02a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
e02f588b1a4870efb25ac00d9381256e

SHA1
6c3d41090e370053c21c1c800b1302c5f3320630

SHA256
2304c4847a2e0be9a749f1a76e3c0129e827cebc49fb41708e9842ea7a98289f

SHA512
bcde1bcd3387ad554fb8763e126a4a7b3622ab4ca4af3a445a8be2d55bddf3bc5aa24dda5e45f71fca96a798786197b9d0180dd65db131a0b3d013665415e925

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
8db3d3569ccddb42ff614b3cf711b95f

SHA1
cfd83809b14b43770b14b6e60c5342af5e746582

SHA256
3f42a874056e5e49324cc5b378a891a2993d77c38ce033026611e7bc83f942c2

SHA512
a7f8373a1754e7c51463ef28ddc7e7febd09387f1ff7a1575ae384148eb579c5041e1115bb44590737972a6983c70b1362bfed2cee460a1fb30160ba33833b8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
4f08588731028f609788d84cbbdf60f2

SHA1
94442cc988907ef32a38c7ab73b673eee9c0c31e

SHA256
c61886e52745f3ffc2047b1c31504f11884433aa34683260c38a60c473b321d2

SHA512
7d50ce91f51980af0fa4390de586dc0ad629dc8b982bea24b2b52a401bebb2c8c90d73fb57932eceeafa3c1d92d8aee738324b212422517c107240716329646a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
b2330eedc37ca9681e49ae32c0dc327a

SHA1
dea6763124d0d4eef9945bd36785f1a7f761a2a3

SHA256
98527612325cb58046a6efeacacfc61e07622851eccde58e83ce6d24b8742488

SHA512
aed4add30d4c5e2870130ad7af6d198d42a7ce718cc92f91a7821c10c1d27f070ecd60a24472dc9ff3da0b945d9d91c00182d92814db3f4b478993232792d666

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
22129674693458b96a6a8c56bebf5a0f

SHA1
7d319eb1a5f7c30507c74b27bd56e8eb436298c8

SHA256
494bf22b850faf91345e23e8e7f8e10dcc25a67617d7d9c0bc4021dd7ce2cedf

SHA512
5b9bfda1b9ba03e80ffe872c51854a80fa5891da44d38ac5ed1e30a92768a7589ca1d1a01cf019bee9e14f1129ae5559d81266f296ad8d7989ac5e7a34d84356

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
8aeae68259c829dca9f643ad64dc727e

SHA1
9ca229f46b848a03410f007ffe559d0926622386

SHA256
ed9a4d4c75d584079d3f7ce22b68da70fc064d35963078a4f1ba51f1e5208112

SHA512
d5f5105892f1b7b5754d1d92d1ecb60e02353679e45aeba2ece90e880a4564c6db821a5e2ea3013bc6aa928a11c4bd6ecb543942b3b375b8e540553f39275ae3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
b2b2521eb9fe97aada23f55fe285768d

SHA1
95f63182b934e08a71a18b19fc0377ab1bf87680

SHA256
97c75cec833fd29096b202d0784eb9f80f319535c752c943b8be9637f36bc4b7

SHA512
568a4123d3102da4ccc3b01ab7ac63d08d6f0ee45b2b9d5671a6a49c3ab453b8e2968180357e7d06456c5396ff7befd2a9a146b5898a8a89f13dfededdb2caa7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
dc818e60698bb13d76ad0639cbdd6cad

SHA1
4df20a67056846d27c5bf6214980de7bd83a7b69

SHA256
497623cddc6503d873b6a048f934586615ad9e42d5fe635b9b4957f79935246c

SHA512
8555b1cbb0056469990dac6fd7266613820e18a136f6fa8895025ee0d07867095265c0b78e97a6feaf57a44146161bc0739da0e8d244638e40be499015ffcfae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
6fb9e976c443613c826ad024b1e8d647

SHA1
6fd5df0e9b67254fadc212233bfbbfbce426913c

SHA256
05a19272c0f06c6f82b71871643d63ce70a9a8285094775fd3d4ccd3b783302f

SHA512
f74e9d4349a21969a58a358498c67a040121206e3727f85d4b95945c905799cef79d12bd337bc5a71e38db5db652b45a811f3329b61baea58b89a2d4a3c6057d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe577e38.TMP
Filesize
1KB

MD5
d8c020453a9745d3cb6e966101a2171d

SHA1
599f394ce1fdfc46c360ccc073892dc2dc98eb4a

SHA256
f739329dcdf0bc11443f2eb18f48b5f721183d20e9269cd2ed983d35021db35a

SHA512
9001b06ed627273807c8cbb383febb231f52bf813074896f4f6a7ab20ccb0463ca135f36524934e4586bd872877a8a128f60db53d1591ec8a166d4bfe0894723

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
77KB

MD5
28b743b5239e07219bf9e76823a66b43

SHA1
7ca12abd8e7a624940bcbd02c68edf4721b6a79c

SHA256
7f33aebac58e3b0e0944e64ee271562bba419de4d1e5d1048d197a7809b65dc4

SHA512
3e7451f263367c6b42c566a2f332107b05fe06b54b20d993f0ac961a8ac528dfdd6f9dfdac83168ef8b5626801dbeeed6b409432d7d67356a74db1a2a3c843c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
53d2ae98d77a176990deecd41c13297a

SHA1
bde26e8e562ee6c49451130b5343244180bbafff

SHA256
5069629abd1b25ac941e6c15979fd69eed324e58988922713ac2bc0a841482a1

SHA512
b0dd28231c77daccd0821216d801a1cfc54fc7934b5fc4218a23100d0a6d22eebad1ac560e34cca902caf22274f35c4e76a3a9cb8043ffe4a2bd1db21e9a7a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
904fd9fcea1bb66aa627420d601b5efc

SHA1
4752541fee0a74f03d6f27ac41339b32e04f165f

SHA256
f28d67cf507e7772958464b379dae8734d6af0b7071a3a1a33e181939b0ae22f

SHA512
9fe87e77ff36fbf8bcb4231065eed2f978ad59ae2b7b6627422695315f09af59766ac0b191d9758ee1d6d48c1d6219cc8a8456bc6eefa23ab27737438f639e78

Download Submit
C:\Users\Admin\AppData\Roaming\f68b97827489627c.bin
Filesize
12KB

MD5
8fd43671b74e4969625e0a31cf9cd629

SHA1
e7a9e8869605a8df4253bf3de04eb931dccab186

SHA256
8925f25a6ac1724f5e3b0b22944a04322fe3062b2d06690ab98c69221a8c06fc

SHA512
4a9f2c62e3665b343e0ecd22cd2420af5711209b8827b965ad548716f365d072cf5400d89f98ddb422eba0b2984dee96dec1aeed51d3d5926bbd5771bedb2f96

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.3MB

MD5
eb27071727d47fe83f3e1dc4bdb3bd01

SHA1
6782a695d75805b9e799a2c942b933a8f0972224

SHA256
6fbcfc6a85a80fb3d0ea3ca4caafc847b163d6d16193fcfa63c0c8a4ff3e2c7d

SHA512
5a1ae1b7dad30974698e8c8e71bb9ab62bdea145ee98e308820719ef459071a9f94f6a23da481689f972245446e1fe73611354fa193a449f7b0743277a8fcf1b

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
42c9c7998d7f097e5979dc4db76c4854

SHA1
766ec781e79bb8941f840e7960cf05aed9763d06

SHA256
1e6e5c169aa282f323c8df2ef734db4d50a05f930338a45fb18dd6f6aa3b36fe

SHA512
28b11bedfd692d011b85ff71a43359709dbfc8bf9ff502875b30ea00644746a5550f9a888e40aee291b6562d1e45bd04c25206f6811ad357e12ea7ce98a04bdc

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.4MB

MD5
f361a10aa4acf8003c8eec981b128554

SHA1
2aae919ee0ef0fb89f427e6217d0888f71c80d98

SHA256
44ea7f4d994162433b3b69f152abf1bf6b6a8db57dbc3c20d1f01074274e0ef9

SHA512
f965d003decaba9d179602d68acd63a021d6229349cbcf863b6949b88e2daf4db535a0899f5baa98efbf1bed3a42a6796a9bff3add062f0aa71d5adbb93b7d42

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
abc8c169080726804d1081ae781f1ed3

SHA1
7fa93d67193704e477e9caf0664440aee829bd18

SHA256
846840d90228f3c41576c69f61ecdcd60cd0b6e7365eff4d475bdbbd18d4ba50

SHA512
b2c000270e5ee7e89adefa65245ed01ea56ea05a30e37f11a73a892a8f0e20930e44a0c4c13ba4de2cd09ce15d58caf0af37a33cdbc39e9fde60925b5d0e6814

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.3MB

MD5
921e65f98816deddd0ba9b86ba4e721e

SHA1
66dc4de73dda99b82e69c88058355a3a6e6f3276

SHA256
49481ff5bb1b941bf5aec69f5600166d52f0bc42954a1050a12a29e943600f98

SHA512
b44e5a5aacb776dfdc086485ff38ec7deacfebe2e346de5110dc2c68e7ccf276bf1fb54247c108b8478e5db62a02b37e5427be4ab2fe743afe00371489fc2830

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.6MB

MD5
f50efdaba53ede2375e717ec33067885

SHA1
129bf1a0f6718b76c76a53f5b868e9ac23bb09f4

SHA256
a831e24204053b7a5f416e88bd13e46b3b9204480906a22dc799800ecd181487

SHA512
2c13903b8887640825f998370329e13cc1ff3f4611996273049ef8cd04ef6e26c9aaf42a82628ff9e2ad9e819e9dc0f93de3aaa3a954bda4864a8289fe460062

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.4MB

MD5
52c45477cbffa5380f675d91fcdba67b

SHA1
bfc8406d2b2d012dd8c1c21feea0b6dfa8d35cd7

SHA256
3b4378d24a0fd426691485432d3ac19a5561f60fdba0ebcbf15b5fc03d08e8d3

SHA512
317701b20405b6f3a973eca20a5445125095ef9726b02fb8b0c021cade1e782b12d4254de3c19a04f39ed0a56f4a22fd9ac902a71d994bcb27dabd3479613e74

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
11d6178a4a277022af11b375d2639cbf

SHA1
ebb6cb5628d383442f991351eb7e0132439683ac

SHA256
98f3632b358ec4a1a6446a369ef62a10d2baa37d8129acd632a08bd0636e7569

SHA512
a1480899978ea7d60b9cbb51dd9b870898e875212a4ae234305a73946c83e011a8b1d6806b9570903aa989718f980b8167b246474dc5ccf2cff48db33a75a1d5

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
9e153edfd83d466203ce8dfa0f5e49de

SHA1
c8c9ce28070eeaccc43fd97cb15efcef8a0d3013

SHA256
13bd3f2b94bed8a59a007fe50aaa0b013f4a26525ed2cecc74ba4b9527b535c1

SHA512
1fd183016dc1cf6e982b3a1b52214148b2aaf93f932e36d8d2183ff87976462b685339196c46bdd718ebf3142027e4946db83b175557ca231d598aab1cf7e639

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
33521d1cc79599884040f3a385bde585

SHA1
434cbdf1e1113856333f05808fa626f0a624f9d7

SHA256
a8fbe2eb8a190674009d93d2df4247679c02d15fcba0bd4d2e8bd58d9033b74b

SHA512
808e9a6636e5b80af46fcf87f1b9b0c94b9ace733053cf04570579357c07a1df54a221e2e854edb07110d2df783a7045751c90c320269aa7ec69060b769db2de

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.6MB

MD5
bac14f4676e24ba44d7fbf131c794727

SHA1
a2b62627b98d81f9cb018c2e87c503f5df076654

SHA256
45dbf5efbdf460ae3898170aaff506f1f2d1a6c9a36e7cc2329d44c1093eacf0

SHA512
98858f204a2c6800058325ce60f6e3c2f003ee1a5f0383fadaa71bbfe9b115bff8e2f2d512b1c8d00acd604bae7acbbd8c7c1c3314e0889571497b2f5003934c

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
05e194ab6b6ded4c5d7db1112f570053

SHA1
213987d01bc3f32b63fb54fc155dba2387fa4cdd

SHA256
2e566b66edee341bb21d7a2be871ffbe8f8f43d2d229a83cfe8dcff292668709

SHA512
749ec517c8ef45a20ddf0e74c17c22764ff1f8cc24907270f3e516c3297f006d1692783d8572691b0903bccbbe1cc06833d0b79f66930b6dd6f3d43e3b3ab62f

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.4MB

MD5
6234795d71253a98de646c5b1dbd4210

SHA1
48eb0c1ad444763e635e33e5101bdc3fa7e50542

SHA256
ab137c9f407e5dd0cd9167e0f63555b7111719793892beb563580b866341b1f5

SHA512
fd195794bf628ce8a9c072cc25f1ac771e15cae68a2836ff0e111c3f62a57cd4765f7012ae1b4bb987536911265ad269694a962757c555cdbe466d2e12dc0cd7

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.4MB

MD5
a1201d3570055a86096a24a4b4dc0d21

SHA1
62dbe8fdecf941fcc855dfe707f16b05892ed060

SHA256
9d8188eebb67630f89b1e93170e00a47e68508217c991370c213a4da7f7efc06

SHA512
60288f07471a5cb07d05b09bfda5bb628acdb53777f9eac3ad85323292afe9c827fd78a810947a6c64d3279a8febc3236c13da8e519ea4fcbe7834ae370f0e5f

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.3MB

MD5
93c913803d7f91478140aea90e61e88b

SHA1
f2500fd643111690e029380f9e475e8de3b4651f

SHA256
a501a8544389b6bf64856af8330b3a8230ea91d59fbd2c0c37121c14abdbf545

SHA512
be2b5e9d0579b7d428ef15141975e9888017bc24baa4a871de843d654cb7bf79154858a011af3d89e0de3a718fda41e63d02c0bba5a327d1c397953c26a7b770

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
c28369c51536e37a62eb56006056c840

SHA1
de4d35d8d3406abfd9b37d6455df7922f0541637

SHA256
d8831b6195aef75ac55718301e0f0ffae3e4e131664c7cbd6ace5d097665a619

SHA512
5748ed44bef3c7d744e4301230bc0db54a26ce4fef799c7b4069192441e0676e4bb578a9a69c24b1f7fca22bfc3553486aaccdbdbb80bb3408f4a904f2baeb9e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.5MB

MD5
1e75cf5b3bc33b62eace669784d1ba41

SHA1
467267edd2129dd40c3421fe94d857168332f657

SHA256
d94abb6279f1ba1311e0f7e85d451cc674b10fb3b7475aedf10914919c49de7e

SHA512
ce4b1d1b0f4d1ee9e267594be393f4a62368c1e9408ce9672093094117afd2ed0e6c9c4c5f3afa71d744e4118503bf5f630472bec79d2163261525789363d78c

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
4eda21a921e47e88ed6f94abf8a0819e

SHA1
f968ec2318233e6a969d120b9330d9ee34d837e4

SHA256
8068d2c8604be7db9365e0454dd9df96f4ce1f5716c2cca9a25d8328984c8cd2

SHA512
bb1b22709fdefab9fa08471ef0525f7a358f0637be8eb32f462ff91210a5169e72f47de660b65c6a74b2e3f7085e6be31e80145173de4140185a0a1ada72555f

Download Submit
\??\pipe\crashpad_1656_XXTMMSMXFHAFWFKU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/368-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/816-256-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/816-584-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1052-42-0x0000000140000000-0x000000014021A000-memory.dmp

Filesize
2.1MB

Download
memory/1052-43-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1052-33-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1144-242-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1148-257-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1148-585-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1736-84-0x0000000140000000-0x0000000140240000-memory.dmp

Filesize
2.2MB

Download
memory/1736-72-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/1736-82-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/1736-78-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/2100-250-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2216-226-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2216-353-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2216-58-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2216-52-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2324-249-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2332-9-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2332-18-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2332-21-0x0000000140000000-0x0000000140561000-memory.dmp

Filesize
5.4MB

Download
memory/2332-549-0x0000000140000000-0x0000000140561000-memory.dmp

Filesize
5.4MB

Download
memory/2592-239-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/2700-234-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/2948-89-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2948-95-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2948-229-0x0000000140000000-0x0000000140240000-memory.dmp

Filesize
2.2MB

Download
memory/3000-230-0x0000000140000000-0x000000014021C000-memory.dmp

Filesize
2.1MB

Download
memory/3000-102-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/3304-233-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/3332-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3392-255-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3512-238-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3512-459-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4184-583-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4184-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4184-227-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4184-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4532-17-0x0000000140000000-0x0000000140561000-memory.dmp

Filesize
5.4MB

Download
memory/4532-6-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4532-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4532-26-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4532-30-0x0000000140000000-0x0000000140561000-memory.dmp

Filesize
5.4MB

Download
memory/4796-582-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/4796-41-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/4832-228-0x0000000140000000-0x000000014022A000-memory.dmp

Filesize
2.2MB

Download
memory/4964-248-0x0000000140000000-0x0000000140253000-memory.dmp

Filesize
2.3MB

Download
memory/5028-243-0x0000000140000000-0x0000000140273000-memory.dmp

Filesize
2.4MB

Download
memory/5796-418-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5796-479-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5944-595-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5944-430-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/6044-444-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/6044-468-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/6112-596-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/6112-454-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download