2bb4fdb1ad853c4f3db9aac87fb57594783055e78a959d4544f4b6504b23b991

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
Size

5.5MB
MD5

a4a90c193e7225a659101a58f0ded51b
SHA1

4395fb3cfa5e864d3360b6c365c4fefdee182af2
SHA256

2bb4fdb1ad853c4f3db9aac87fb57594783055e78a959d4544f4b6504b23b991
SHA512

94f2d5b1f114212ad7e61fa96e1508aa3303f40960ab21003688228396ff6f7bf08a91cea4e937a321ee1fca9502b2750d784b2e51dc0386be7fa4549cccfa17
SSDEEP

49152:JEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfl:dAI5pAdVJn9tbnR1VgBVm9XvYCp3nyG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
4520	alg.exe
5064	DiagnosticsHub.StandardCollector.Service.exe
1652	fxssvc.exe
2432	elevation_service.exe
3984	elevation_service.exe
1404	maintenanceservice.exe
2520	msdtc.exe
4540	OSE.EXE
1064	PerceptionSimulationService.exe
644	perfhost.exe
1280	locator.exe
4844	SensorDataService.exe
3216	snmptrap.exe
1824	spectrum.exe
3348	ssh-agent.exe
1400	TieringEngineService.exe
412	AgentService.exe
2744	vds.exe
2536	vssvc.exe
5112	wbengine.exe
2432	WmiApSrv.exe
4008	SearchIndexer.exe
5192	chrmstp.exe
2496	chrmstp.exe
5248	chrmstp.exe
5408	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

Processes:

2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exechrome.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\274c2c607489627c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_101187\javaws.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_101187\javaw.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exechrome.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000043a139a7f398da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000110b29a7f398da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a1f9ffa6f398da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133587311163008078"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001571d7a6f398da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9fae0a6f398da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000002cc10a7f398da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0f317a7f398da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000049cc6ba7f398da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b8821fa7f398da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid process

1252 chrome.exe
1252 chrome.exe
4192 chrome.exe
4192 chrome.exe
4192 chrome.exe
4192 chrome.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

1252 chrome.exe
1252 chrome.exe
1252 chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

pid	process
1252	chrome.exe
1252	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe

pid	process
660
660

pid	process
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exefxssvc.exechrome.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2252	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
Token: SeTakeOwnershipPrivilege	4892	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
Token: SeAuditPrivilege	1652	fxssvc.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeRestorePrivilege	1400	TieringEngineService.exe
Token: SeManageVolumePrivilege	1400	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	412	AgentService.exe
Token: SeBackupPrivilege	2536	vssvc.exe
Token: SeRestorePrivilege	2536	vssvc.exe
Token: SeAuditPrivilege	2536	vssvc.exe
Token: SeBackupPrivilege	5112	wbengine.exe
Token: SeRestorePrivilege	5112	wbengine.exe
Token: SeSecurityPrivilege	5112	wbengine.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: 33	4008	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe
Token: SeShutdownPrivilege	1252	chrome.exe
Token: SeCreatePagefilePrivilege	1252	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

1252 chrome.exe
1252 chrome.exe
1252 chrome.exe
5248 chrmstp.exe

pid	process
1252	chrome.exe
1252	chrome.exe
1252	chrome.exe
5248	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exechrome.exe

description	pid	process	target process
PID 2252 wrote to memory of 4892	2252	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
PID 2252 wrote to memory of 4892	2252	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
PID 2252 wrote to memory of 1252	2252	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe	chrome.exe
PID 2252 wrote to memory of 1252	2252	2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe	chrome.exe
PID 1252 wrote to memory of 3424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 3424	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 3472	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 3472	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 3472	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 3472	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 3472	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 3472	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 3472	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 3472	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 3472	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 3472	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 3472	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 3472	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 3472	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 3472	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 3472	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 3472	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 3472	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 3472	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 3472	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 3472	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 3472	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 3472	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 3472	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 3472	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 3472	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 3472	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 3472	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 3472	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 3472	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 3472	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 4776	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 4776	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 1380	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 1380	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 1380	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 1380	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 1380	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 1380	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 1380	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 1380	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 1380	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 1380	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 1380	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 1380	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 1380	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 1380	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 1380	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 1380	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 1380	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 1380	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 1380	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 1380	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 1380	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 1380	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 1380	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 1380	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 1380	1252	chrome.exe	chrome.exe
PID 1252 wrote to memory of 1380	1252	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252

C:\Users\Admin\AppData\Local\Temp\2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-27_a4a90c193e7225a659101a58f0ded51b_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb89ffcc40,0x7ffb89ffcc4c,0x7ffb89ffcc58
3⤵
PID:3424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1924,i,8532632295712402710,12166299373576970331,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1920 /prefetch:2
3⤵
PID:3472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,8532632295712402710,12166299373576970331,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2216 /prefetch:3
3⤵
PID:4776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,8532632295712402710,12166299373576970331,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2336 /prefetch:8
3⤵
PID:1380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,8532632295712402710,12166299373576970331,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3180 /prefetch:1
3⤵
PID:4952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,8532632295712402710,12166299373576970331,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3204 /prefetch:1
3⤵
PID:3776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4564,i,8532632295712402710,12166299373576970331,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4492 /prefetch:1
3⤵
PID:1960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4744,i,8532632295712402710,12166299373576970331,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4752 /prefetch:8
3⤵
PID:6036

C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5192

C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x2bc,0x2c0,0x2c4,0x298,0x2c8,0x140384698,0x1403846a4,0x1403846b0
4⤵
- Executes dropped EXE
PID:2496

C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\initial_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5248

C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x2c0,0x2c4,0x2c8,0x2bc,0x2cc,0x140384698,0x1403846a4,0x1403846b0
5⤵
- Executes dropped EXE
PID:5408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4924,i,8532632295712402710,12166299373576970331,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4784 /prefetch:8
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4192

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4520

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5064

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2256

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2432

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3984

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1404

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2520

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4540

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1064

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:644

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1280

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4844

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3216

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1824

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5016

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:412

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2744

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2432

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5828

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:5876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:6116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e950bab88d7c3a124e67a06bc1eae685

SHA1
b651e1f8a6f86065bf13cf88aebbc051006d291b

SHA256
56c6abc68b2f3fba22a960654277350a132002d7ccc3a6c00caaef04f0a0ad2e

SHA512
b314af21f311f5ecce4ebe63edee373642a8fe7ffba113daccd934da0c7f51211e41caf37ecb0fc75ba8b448be541f7650fe641d415099db5a44102523d950a0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
e21fe861a6ec29fba2263525b7d39e09

SHA1
4af16fed7900e93c2198a3e985dfcf05cc248a08

SHA256
95af101eaec86f5461a68b57ac1be48182187fac3597d670c51c23958e8997ca

SHA512
11d3dd1c206c00c32b6e536b5922b83b16b769724aa466e2308b78fd30dc294d0bf7cdffdd4e5219ff745bfbd32995e874d1c65516eaf7567c7d5b09d1e0de9e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
06e48306e93c1b31b92be07b9d580251

SHA1
e1fb5678fc1b9ac6c7c22d2414802890b543842c

SHA256
0fbd0e6c5efcc6548d724f125d4ed1cbaf20ba44d2c77444ed14af42c7b32153

SHA512
56752fce38e12d934a1cd23b4f1b0c636f0677660416e1f0dab4123dffbf8a3b01a83d480dc0f5f3ebf947b0f60ad8829968fcd65a4f157c322abe065996b193

Download Submit
C:\Program Files\Crashpad\settings.dat

Filesize
40B

MD5
21051c2d2b882db5fd154d892912f80e

SHA1
efd828e31a80c5bfc0eeacce5e107bcbfcb4ac45

SHA256
bd26b7fc11b6811a1569980ded3004fd57ad9de98942460f30db817694b879ad

SHA512
5b8f81ce088beee3e198a65294d026952265795ce9d8bdd8b598a241905c14ba89110cafa9bb4b9af1d97c188b91149d6084ef7bf3b4cba320d6a39722f8f44e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
2172028e2acd4b3abb4b4a281eefc84d

SHA1
f833430aac00c66eb36a2ad595cf149e81fe0126

SHA256
70f0d7bf628dda3b27c85e5e31a820bbd25fdcda3210354cd3f5fd794d9015be

SHA512
447e49c141901fd6a77e0a14cc82c70d6e9bbae946bde861c70b6e863f9ec499cac7f8cd6ed4bea8f10c4f7ac9545198a43f3bfc7a6675cbd6624a2458aa6397

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
664f8556fea5148556ab496889c31a61

SHA1
5cde94c039c842867def62856acba36d3026956e

SHA256
183558f9f44a10e001ec176130c0d573b348dd81ec0a26425a7fbcedf2723675

SHA512
a1329eb8895fdaa786a3b77345be015d27f597d6144fd2367b6cd8d0cebf5caa9eebd5a29a6943df31b477235b8be88a41106f5940ad52e07625060b886440fe

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\ab136f28-11aa-449c-965e-813326d7f953.tmp

Filesize
520B

MD5
d7bdecbddac6262e516e22a4d6f24f0b

SHA1
1a633ee43641fa78fbe959d13fa18654fd4a90be

SHA256
db3be7c6d81b2387c39b32d15c096173022cccee1015571dd3e09f2a69b508a9

SHA512
1e72db18de776fe264db3052ce9a842c9766a720a9119fc6605f795c36d4c7bf8f77680c5564f36e591368ccd354104a7412f267c4157f04c4926bce51aeeaa1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
deb08d9bf81cbb91dccb7aa856d407cb

SHA1
efbd19ba69dc8f0f048c35eae46ab0adffd43b51

SHA256
6da463cf891a8d18449ddfc150de3b7a7b447c8e2fdab5e853371969bac24c55

SHA512
d16c8eea74dd9d01620b798a21e127422f2fd8a192240719a3961669c04ceecb43fa97022037475193a69e5438fd57fd368e4a2bed3206df5da16ffafb6b95ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
61e5e5a9931d8b5f8da1d3814593cee4

SHA1
7607a38f58770f5a3c8b53f2018302883614fef7

SHA256
6387bbef3d34c0083899aacbfe79c2c9bfae64bb6fba17a2cda774054b145bd1

SHA512
0aaf88e50af694797b1c81524f63e22fb0634e99ea5f3bf0b07e55e87cf00442258714271352dd9626d819f23988c5be2c40c67764d5f5277fee87be901221a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
a8cf54419129b874864cf206392ece0f

SHA1
2d8f78e5d6951faedba3257d5794227f34c50967

SHA256
b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f

SHA512
02a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\b5fbc183-4b0d-463b-9dec-40cc4ff7a589.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
681ae57734a15ab19976e6fed38d4682

SHA1
ee0b585807635cf0fbcb9ea5a395ad3e4e4f023f

SHA256
16ef2e509973b132cfa755f23db5e0133fc72356662c47427953267854d7bc65

SHA512
bc6877a567d68f4ce36a265559217450d0b02cef3c7f6a9e6cda820c523aaf03983ddd8c95113ed5a6d031334514a69ef6892626197ecccb855436c174369fc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
02e6d7763ee201ab1f748310769107b1

SHA1
bdcd88173306880933a7d85c29de51296e8e6bf5

SHA256
38f6025a9235a57ff948dd73b13a26875199fea842a7503fb5c35ca0576e7e51

SHA512
28f45deb9368e6200f2eeb7850939cb88adfa18ad296b69c7a7461de9778bc92699c4697e50502953b8b146549dd9af9f9a987e7f37a432a91def7ac8815d502

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
d3f60a3a19f1d15f12caf56b4a0a83c4

SHA1
d738869f3917c416443d8d00bc5afe5d2d5837e4

SHA256
3401d7155b2aa6d5a5f84430a0fbfc7b53717ae3ca3bbdcd3966e059af968c5b

SHA512
f05af461570a42062c029926cd3d40a19a03cccf9b7f4f4525a516dde51e7a48817d9e7a9e29daca9275d86cdb828a06277ae45b9af5832f0ff68ce56c98cffd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
220b26df277130ec92b8930daee56380

SHA1
3b9515ee1d319f5537d1788f07339197f2999bbb

SHA256
bdc78a946d4c7a402ed0072036ee8b1068865ae4cf8e8f118dead7ae902c824c

SHA512
3908b942d3ad8788eb31c14043fa7a683a7a6092076a597d5f6d6586ab02e05ce96c91963a28929bcd87986f33dfec26eb10c051dd34e4989482daba2f8742e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e1801b925ee24ffeaecd5a2e69df3f5c

SHA1
208b9614abe412c528766e90eee3301f2d5f3398

SHA256
9ea5ff4ed8c986b4adfb92c5b42c4fa8a94970b23d4eb489f64f4f331395b2ad

SHA512
ab07dcd48231c78e809350f790b9a39917776cb8f04ec73fc479862b831ba6f872bc190d52c419fe18b34c0666132c00b959be665ce11b025a4678a2c7c4e9c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f2964b41d400972bb9c9834bb524297d

SHA1
651db0f6913a04450a163997275a095f1d9a129e

SHA256
142bb0647b04f61f8eb5be3826fc47b90cf18e001407426cd44127b7b5cee0a3

SHA512
4ee86dae112468a9379acef13003c04211e456585c76cd140d257d0aab8f7c9210fa92c6194b0d67c8e90ea2d386b1cbe52ca1616b3e41daa1629f6c2a9a7545

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f41fa828d421167a3a2ad7942516db1b

SHA1
d8071f47785e4de15eb749cfb2c88942c16253c0

SHA256
2238f56ba344a131822fbba27c9c57b9b1e8a899c5e4700a499dc792d77cb3aa

SHA512
4ab645e3fa74cffa7efe9e84166253e8f9767c4bd02ab6f1379ad91ad1a56f2dbd870355a1e01fba08f8936e4c175972b397c54ebda27f96989686e0e1eac0e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
a12ba024dd9857640579b7897161ac0b

SHA1
305f5f6cc83c3d3a479ba99921127e838179ed5d

SHA256
ff13d33a1cf5d6439c0d6012a3c3d010780be341ede82a813c59d44cd24457d7

SHA512
b9de58d6cb0c4aaaa1589e7485808196dac9107dcdcdc21f77470531a548e894cd4d1487d91ad3637da9dd69bea71bbee6a446b88419595639d8e3fee6dd59f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5776a7.TMP

Filesize
1KB

MD5
d8c020453a9745d3cb6e966101a2171d

SHA1
599f394ce1fdfc46c360ccc073892dc2dc98eb4a

SHA256
f739329dcdf0bc11443f2eb18f48b5f721183d20e9269cd2ed983d35021db35a

SHA512
9001b06ed627273807c8cbb383febb231f52bf813074896f4f6a7ab20ccb0463ca135f36524934e4586bd872877a8a128f60db53d1591ec8a166d4bfe0894723

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
3a840064207692605327c90103e524af

SHA1
0bc15e2a4484fe91a13cd871c8e93e9a63068567

SHA256
2f81eade852d9ed4350bbbbac462d6a2edb728e9e44513e59853a278610a34da

SHA512
b1f8fb64f032c6edc2f7eb2bca6ebab681922825ed8a245e8155d38802c59093f17927c806585b9190b58c5d55996e72d81e963d76b0b17d17386407ef279e3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
921655442d824311b92392f698ef97dd

SHA1
dfb5b426dfe02027982a0e1fc4a143009d1c5080

SHA256
561aa23eac05b526ff6a4229acf22e66ea8a060dfc03d1f1aded92c87c130d69

SHA512
a61cf66eb12ef8ae2d239f6490c15f1dcc1aec6cb0ed4daa3e85096d1630a322cb64a6660c4ac90e069ec2299f451c6e7a18447ff8b23034a7f281a1cdc3cba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
e4ea78f0e51902b6e0d797b0d8791816

SHA1
7659562949e45eb992b371e22b8a2e688ccefd08

SHA256
7da7517d15cf77a192638f97dba3d98cab092e5c546d7da767ad68da0f33eff8

SHA512
e3efbc2218e8eb24b56e74f7389e83c3fa569c61defa2059d80f82549416b26ffd730c7194ebfbc92d13d0d6e2a382022127d8ebaf918f98e6268d793e3077d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
06d8d21e5e39d9a316efee950f525fb6

SHA1
91b95a34770f9a066379dda3db94721c99661f48

SHA256
1755e3f498cf2ed9c6ad63ff3c52bd2d475003a54193e7c89a86700b231afad5

SHA512
a3284b8d282272ad9ae1e867d8fce6adae0dd92a29ea518ee82555a98b33f6df8d8cddd0d6f27faf83b96fa6fddc715ec1ea1ec8789a514bfb35cc85c00e72ac

Download Submit
C:\Users\Admin\AppData\Roaming\274c2c607489627c.bin

Filesize
12KB

MD5
d2b30582555123baa9fd66a27f943a3d

SHA1
ce2bf2e288093cddd92dafc798bfaab5421d8880

SHA256
466ae68f0af9b7a2e7e056019c560ff1d2a24f1203b814e5ea6a28076ef9adf8

SHA512
28ee44edd33ef712f129583f739dff28a96599a2a9a723dfa800d2162312f05984344689e3792b6b62525ba0de0dbaacb989fb229c141e02ca7770ed86e4582f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
30f574bd9c4b74307a8bf3b0694f0613

SHA1
88da5003c5577abb9b1337f755320f02c7ae6066

SHA256
5b1a6f244f13be314b4e6fb0212639f4882231237c2e0f1e6f187dacbb98fffb

SHA512
8bdf5dac4a53ea4eb98fbf8e83912b0b5ae553ad2e5d9c6e9d2bd32cc28e1c192e29b1a59a931da1118be01a95acf7a725e6dd756f89c3cafa14c394fa64b566

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ddb4907c072128b461fdd575e2511799

SHA1
e0de327efbf021ab29620217d285837ceb740e53

SHA256
646feb571a2d06681110d4a2d1c579cdc5f7889ef3300c8a2f9d2e00b7765f4e

SHA512
44e16c66d3ae637c52adf0ac086d42c9f3b4c6f8c585a682c6be10c5b0147178a546c827c8b3d60e8b0593a9b18b77ff56c0d8915a06075e3d6ca1683a640d39

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
f8d470550004475e7cdc0ec90a556f2f

SHA1
031dc220e2ac3851eeaed3cd37d3aca0e58cad85

SHA256
df016b7795a9be70831b2218996aa306eb924115dcdbb712f37c0e20bb2760d4

SHA512
642afdb4cecedb6b0498e6e7a9eac26ac4ed18a4787e287e276b8230017e8d6dae485ed065245a00d36536a240d661593f117edbb7131426eeac1399d3d3b929

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2cc7fe602b36c6a198684e2e01dec7f7

SHA1
84972da9c2d58db25b07852df8bb87760dcda160

SHA256
858dec0e69d775c1a370251e33bc224965981d5c19473084fa26ec07e9d5d9c0

SHA512
2873e276b2893c8d1b8d4cf2b39b19758012a4f4f64fb68ad934feb71053bf60ed2711af46f707d5f49cff42c3af99eefc2c1e79139b53b5076c8a502906de5d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
d5c1dcd91d0c2255d6592bfd521bd36a

SHA1
63927b2dec089554857aae50b02877f7a8a1b9ad

SHA256
9265cec097a3539f14dbe945694e3995650516c7178204d24b67e0420a97a968

SHA512
1a042849daaa6f747eb80360e00ae12bddf2ddc48f09cecb209be28291d27857fbce2e0a7cbf6991a93deaa5e149a2e2c50b643dcf8849186d4f7e8734685f61

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
0e403e0a6f44fab003ced5d862ded8a7

SHA1
a12e0d385aa8edcaea3258c31cb27b7747266897

SHA256
31073da8c5b3956a3b417c1f367f65292a629abe7a5f44279a6018113f9e3dc6

SHA512
541cf7f054538db99fcd9e51037579c90c20f4b2fd0250cf3b392e4bd7f2e4d0a796c1fb7dbe2f7ef88fd37bf18d1464f092fe71f21fbe37340de1ed61cfefe4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
4cd8c23420e433797e7a94c52264f030

SHA1
bce4f92549184dc42ec22a96a914d3d6206fd33f

SHA256
2fd8352f045186f789e18d45932c49edecf12e754dd5970e5b185bdd07f499ca

SHA512
d3274087a17f6447209c496a50f4eaa5c1090bfff1e0a12703b92a655e16dc968550894f712948a0f59a5892f029c4bdf34d618bb374b6f63cb2d9a7d7b3037e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a564d096f2a0d239738d346f051da824

SHA1
10fe5ffe52853d353b5490c9a115ea1de1c245a5

SHA256
8218174078b98b2050a64e89b8398597656e8f70ecc4e64d5b865477116d9be1

SHA512
f7e03d2f3bd2acfef728469dbe0c686eb2eec81aaaa23c8b676bce71872048dd6a1dc13b6b60622f673046342b05e2d36411f74b1b2edca947ffc626550a61dd

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
108ebdbf4754c2388ec15f3afc8e4485

SHA1
689ce40a2fff64c81d8f7a5ae89cb7ad3eaa048c

SHA256
51d3ee0f046998fc5e72e87fb4faf25e9a74f49742359367b985e9ca53adaa77

SHA512
6b2798c62db1658430f372b3191d6d52f7dec8ac2b57912c9d6ca2ab839fd2ef9849bec113fdf8bad0fb94c211d1f096a3c7928bf49737f06e82974af4755c14

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c9251151f61d7924a314ae6f0df3a150

SHA1
4f6a129ea98b8106a9f231767ff74f09e0fa87bf

SHA256
6d207042d772d4daf264baafd91ef68e038f5ee8e3f1441206bbfa5b1f0b3f7d

SHA512
5ddcc03d233ad36b384d9ab1517de98ce0be308da52b75f3d44f51bab856065ae51541605d8710a6b3ac95076556949e300d1b1e7e654d7669364edb2ea8a7b1

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
31550cd60e3e3f63cdd65d8ae6e1e80e

SHA1
238f1cfe7119f1324d1960e11b3cb2e48a65852d

SHA256
234e630e060199e4c2cabc7ab0272f94ec2ef5b02f32e05b9dccfc2f2e4a1270

SHA512
bd9967f3ddf8e3b7d3f13612ebe1cf9ca41a25b8d9b0e652949b498bef400bea03d3e3bb7f1af93e4a5624ac45c2bf30894301b1beb5f749c262c1c46bc5fca6

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
44ff128fcf91278264e67ffcec8f0cbb

SHA1
73901daba1be7f44049edaa8688bde08e6b32147

SHA256
c42c396a24630425bfc6f7cdcfe3160f9c9f0402d3920d61e77877d4d04a3030

SHA512
5195905a9620950308b1a4fdd25a76a304a923842275e037c24b45637c5a6a782f1703acb3c0652638a6086c718cd34407206e7be6e77a453e04f093b29efa5d

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
49e1edcdbee03d020188ff005fb49d0f

SHA1
6e98b177fc1a7dfc51d98b1ede1d6127cded4ee8

SHA256
4a1260f19dcc66fdae349a8ba2029228dc06ab6433111b6d6a7a6243f1fc4421

SHA512
e8c027ed0193a2259f2f1b4f7446964eb8de2194b76405595b1c0d6a6724656c1139a0b17eb62d1d5968b2ea4eb4bf2a328379c8ddfa6044dab9fc401f842629

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
f1f98bb279ff9792f91d67f02bd73835

SHA1
e087a1ebd51052e3cff0d9036b1795e93bc797dc

SHA256
043106282c79566d335683ee5abda0de668e5b05346a1723e9f70c91233fd9a7

SHA512
f24108598cadc70c5fef1b395f04f48f78fe6e6f2284d821c434c545401790326aed3d690c469eb3d8c77b674b4283650dbffc3a36bfacca082463727e822401

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
d3177fc0ea0dc4a4f0a65fd818ae05ee

SHA1
15e29d6db34a2eebb086314b3f93cb23f02042e3

SHA256
618575ee9df0bb95a5a3040048668c4c6564753f9af75592b8a33a9f1a16d83c

SHA512
c99b90b106ff3b38f5109c760dddf66fbcf6579093aa34b7c8a8961531396324fa2e555f4621bd2f79b7f821a034ffb04ac52dd2fea7113ca0600f99a93b7ff3

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
41edc8bd456510e319796c06063af067

SHA1
9f0aa8ea0cba516bc07b384b7529225b7ef15dbc

SHA256
bbd62baf8e4bc02935597b87ec4139c62abc3824b14f5e8f8fa7a6412bde8244

SHA512
5fd913319a44d9078f53be592ae3b02ea817d3c724f97cf76c4ece1fcf76faffe1676efde13b1c1cc07579f1d958da5461d663f39efda0557c6ba47184902420

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
de91ef3e1619c5213ffc8e256d9384a3

SHA1
c9f6407ccf237f8a2b42df47f93ebe379ef7b66e

SHA256
90817807e41254c4e4da0a44120c1d13e3b98177d0d426cd17a2fab63e4ad679

SHA512
4edb4de7b97f583e3058f7609ee37c4f15b5aeb14583f7de70fcb6f7322378faff16f7518548ba592a919d729e4d6062c7e08ae8b6e5c17653c42a335bdd9e0a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ce515d078e45a3955b7b531cb8758121

SHA1
0449b7f41de4edc0e806a19f421ee92dedd3ed26

SHA256
ea8df90d36067473f14df775474cf3274aa296236a446d609871fe119b6915b9

SHA512
7a6309e919f69d5bc4cd180d960f1c05ec5c44b5b3a2214b3c0dac0831e35dfd43edd88b11a06b52a89c04fc98e574fcf1423cdb71fb691d91fe024b0ebe033a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
886f0b178910b51d93feb23221cdc908

SHA1
e5194c2b92e118144ea76075015f032c69fbbfc1

SHA256
12e9db94d642b1112522bd6bd6d384b0aae5e4f1f25092579d66e4a2686bd558

SHA512
25b7ca320ae0c883586ee3c51c36f87bcba65d6f0f0488b68712043da2240f3de9b39f0006f1a8ada06bfb5f7067b052371b878b34b070f3e047f6fb409439c7

Download Submit
\??\pipe\crashpad_1252_YLTSROCUCMCOTESM

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/412-186-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/644-423-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/644-135-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1064-121-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/1064-404-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1064-120-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1280-146-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1400-189-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1404-81-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1404-90-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1404-93-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1404-79-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1404-87-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1652-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1652-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1824-671-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1824-167-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2252-6-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2252-30-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2252-0-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2252-10-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2252-25-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2432-207-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2432-677-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2432-153-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2432-52-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/2432-59-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/2432-58-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2496-688-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/2496-415-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/2520-95-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2520-204-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2536-205-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2536-676-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2744-190-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2744-675-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3216-156-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3216-670-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3348-180-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3348-674-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3984-179-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3984-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3984-77-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3984-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4008-208-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4008-678-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4520-24-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4520-134-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4540-391-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4540-105-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4540-107-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4540-100-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4844-669-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4844-154-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4844-547-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4892-119-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4892-11-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4892-22-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4892-17-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5064-42-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5064-33-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/5064-43-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/5112-206-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5192-392-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5192-482-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5248-438-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5248-471-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5408-689-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5408-450-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download