8423ac948e99ba4cbf55684ffdf046005306e038aef75373c5890aa5fd4668d9

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28/04/2024, 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
Size

5.5MB
MD5

a587dfc1fcd3718b0bc7b43255c61e00
SHA1

40736e6aee2ea117ef6b856dd417b03f3fa2905e
SHA256

8423ac948e99ba4cbf55684ffdf046005306e038aef75373c5890aa5fd4668d9
SHA512

e496ea9bf7e4b678cbce7ad1dc272e9414d4957b1c12c42bd3ef2d5ffa1311d8edfcffebd09de35e60f3486da5fb1600781146cb67ea01807f9bd6f3b0e522ba
SSDEEP

49152:QEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfr:+AI5pAdVJn9tbnR1VgBVmgUtRM

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
3020	alg.exe
4540	DiagnosticsHub.StandardCollector.Service.exe
3504	fxssvc.exe
1920	elevation_service.exe
3264	elevation_service.exe
2436	maintenanceservice.exe
3176	msdtc.exe
2336	OSE.EXE
2120	PerceptionSimulationService.exe
5116	perfhost.exe
4220	locator.exe
3828	SensorDataService.exe
4588	snmptrap.exe
4324	spectrum.exe
4476	ssh-agent.exe
8	TieringEngineService.exe
452	AgentService.exe
4852	vds.exe
392	vssvc.exe
548	wbengine.exe
1712	WmiApSrv.exe
4844	SearchIndexer.exe
5920	chrmstp.exe
6036	chrmstp.exe
6128	chrmstp.exe
5360	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a0900b797489627c.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Crashpad\metadata	chrmstp.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d520828b6199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001fd7058b6199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007087168b6199da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008223448b6199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fee6c98a6199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006721e48a6199da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133587783084373380"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000114a3a8b6199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000060e9188b6199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2644	chrome.exe
2644	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe
4396	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2812	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
Token: SeTakeOwnershipPrivilege	2696	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
Token: SeAuditPrivilege	3504	fxssvc.exe
Token: SeRestorePrivilege	8	TieringEngineService.exe
Token: SeManageVolumePrivilege	8	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	452	AgentService.exe
Token: SeBackupPrivilege	392	vssvc.exe
Token: SeRestorePrivilege	392	vssvc.exe
Token: SeAuditPrivilege	392	vssvc.exe
Token: SeBackupPrivilege	548	wbengine.exe
Token: SeRestorePrivilege	548	wbengine.exe
Token: SeSecurityPrivilege	548	wbengine.exe
Token: 33	4844	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4844	SearchIndexer.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe
Token: SeShutdownPrivilege	2644	chrome.exe
Token: SeCreatePagefilePrivilege	2644	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2644	chrome.exe
2644	chrome.exe
2644	chrome.exe
6128	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 2696	2812	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe	86
PID 2812 wrote to memory of 2696	2812	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe	86
PID 2812 wrote to memory of 2644	2812	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe	87
PID 2812 wrote to memory of 2644	2812	2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe	87
PID 2644 wrote to memory of 2572	2644	chrome.exe	89
PID 2644 wrote to memory of 2572	2644	chrome.exe	89
PID 2644 wrote to memory of 1760	2644	chrome.exe	115
PID 2644 wrote to memory of 1760	2644	chrome.exe	115
PID 2644 wrote to memory of 1760	2644	chrome.exe	115
PID 2644 wrote to memory of 1760	2644	chrome.exe	115
PID 2644 wrote to memory of 1760	2644	chrome.exe	115
PID 2644 wrote to memory of 1760	2644	chrome.exe	115
PID 2644 wrote to memory of 1760	2644	chrome.exe	115
PID 2644 wrote to memory of 1760	2644	chrome.exe	115
PID 2644 wrote to memory of 1760	2644	chrome.exe	115
PID 2644 wrote to memory of 1760	2644	chrome.exe	115
PID 2644 wrote to memory of 1760	2644	chrome.exe	115
PID 2644 wrote to memory of 1760	2644	chrome.exe	115
PID 2644 wrote to memory of 1760	2644	chrome.exe	115
PID 2644 wrote to memory of 1760	2644	chrome.exe	115
PID 2644 wrote to memory of 1760	2644	chrome.exe	115
PID 2644 wrote to memory of 1760	2644	chrome.exe	115
PID 2644 wrote to memory of 1760	2644	chrome.exe	115
PID 2644 wrote to memory of 1760	2644	chrome.exe	115
PID 2644 wrote to memory of 1760	2644	chrome.exe	115
PID 2644 wrote to memory of 1760	2644	chrome.exe	115
PID 2644 wrote to memory of 1760	2644	chrome.exe	115
PID 2644 wrote to memory of 1760	2644	chrome.exe	115
PID 2644 wrote to memory of 1760	2644	chrome.exe	115
PID 2644 wrote to memory of 1760	2644	chrome.exe	115
PID 2644 wrote to memory of 1760	2644	chrome.exe	115
PID 2644 wrote to memory of 1760	2644	chrome.exe	115
PID 2644 wrote to memory of 1760	2644	chrome.exe	115
PID 2644 wrote to memory of 1760	2644	chrome.exe	115
PID 2644 wrote to memory of 1760	2644	chrome.exe	115
PID 2644 wrote to memory of 1760	2644	chrome.exe	115
PID 2644 wrote to memory of 4448	2644	chrome.exe	116
PID 2644 wrote to memory of 4448	2644	chrome.exe	116
PID 2644 wrote to memory of 800	2644	chrome.exe	117
PID 2644 wrote to memory of 800	2644	chrome.exe	117
PID 2644 wrote to memory of 800	2644	chrome.exe	117
PID 2644 wrote to memory of 800	2644	chrome.exe	117
PID 2644 wrote to memory of 800	2644	chrome.exe	117
PID 2644 wrote to memory of 800	2644	chrome.exe	117
PID 2644 wrote to memory of 800	2644	chrome.exe	117
PID 2644 wrote to memory of 800	2644	chrome.exe	117
PID 2644 wrote to memory of 800	2644	chrome.exe	117
PID 2644 wrote to memory of 800	2644	chrome.exe	117
PID 2644 wrote to memory of 800	2644	chrome.exe	117
PID 2644 wrote to memory of 800	2644	chrome.exe	117
PID 2644 wrote to memory of 800	2644	chrome.exe	117
PID 2644 wrote to memory of 800	2644	chrome.exe	117
PID 2644 wrote to memory of 800	2644	chrome.exe	117
PID 2644 wrote to memory of 800	2644	chrome.exe	117
PID 2644 wrote to memory of 800	2644	chrome.exe	117
PID 2644 wrote to memory of 800	2644	chrome.exe	117
PID 2644 wrote to memory of 800	2644	chrome.exe	117
PID 2644 wrote to memory of 800	2644	chrome.exe	117
PID 2644 wrote to memory of 800	2644	chrome.exe	117
PID 2644 wrote to memory of 800	2644	chrome.exe	117
PID 2644 wrote to memory of 800	2644	chrome.exe	117
PID 2644 wrote to memory of 800	2644	chrome.exe	117
PID 2644 wrote to memory of 800	2644	chrome.exe	117
PID 2644 wrote to memory of 800	2644	chrome.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Users\Admin\AppData\Local\Temp\2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-04-28_a587dfc1fcd3718b0bc7b43255c61e00_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3118cc40,0x7ffe3118cc4c,0x7ffe3118cc58
    3⤵
    PID:2572
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1900,i,6242820182903659599,5497997504355443648,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1896 /prefetch:2
    3⤵
    PID:1760
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2136,i,6242820182903659599,5497997504355443648,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2152 /prefetch:3
    3⤵
    PID:4448
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2468,i,6242820182903659599,5497997504355443648,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2464 /prefetch:8
    3⤵
    PID:800
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,6242820182903659599,5497997504355443648,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3132 /prefetch:1
    3⤵
    PID:1212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3144,i,6242820182903659599,5497997504355443648,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3188 /prefetch:1
    3⤵
    PID:5128
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4508,i,6242820182903659599,5497997504355443648,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4564 /prefetch:1
    3⤵
    PID:5284
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3976,i,6242820182903659599,5497997504355443648,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4916 /prefetch:8
    3⤵
    PID:5876
- - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5920
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x2bc,0x2c0,0x2c4,0x298,0x2c8,0x140384698,0x1403846a4,0x1403846b0
      4⤵
      Executes dropped EXE
      PID:6036
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\initial_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:6128
    - - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x2c0,0x2c4,0x2c8,0x29c,0x2cc,0x140384698,0x1403846a4,0x1403846b0
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:5360
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3836,i,6242820182903659599,5497997504355443648,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4544 /prefetch:8
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:4396

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3020

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1172

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3504

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1920

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3264

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2436

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3176

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2336

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2120

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5116

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4220

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3828

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4588

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4324

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4368

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4852

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:392

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1712

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4844
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2612
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b7ef4bf25e6475d6b1cc7e52c5abc4cc

SHA1
034e363c6744caa9c3f1b4dd68f4e1dfa26c8162

SHA256
4c7dcfa3532ee4b6c1a326b662bf099665b90243379a40f01530770309ad37fe

SHA512
1a44531365099e365b650e78390636102f3e500913def5bd2d05d356bfcf4227fd703570ee96f9702e9d21cd087a8d94f9f31dee796a6d51a6380eb452066846

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
9140e64e860c500af25c35dcb9c92e9d

SHA1
d7fe5f5c9ce66c5a3dde2847b68a52c3a371200b

SHA256
8fa4d189fbab67b3ab9547554d0845b9278565089ad1f41e1cca0d9fdcf70573

SHA512
72ca09aad91b77222dc6b422fd331c59052a3dfccfadbb1f63e750e04a264b3dffd450636904be3bcdc54dfa9b566e879ab57f4f964e485488052482e1bb7e7a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
95f3e49749eacd0e7b14b009d9afec82

SHA1
bad5c8fa2bdf5f73177b2ddc181ed456d8e6befd

SHA256
44a6e01b8ac871b5c653220b9c5c2a7646084cd4d8d96ff642637baa54e6a24c

SHA512
b205dc9d16f8026c0a83ee06433ac25a5073ae00b063a9882f801ea2501584f6adafcb01aa7403036feeae00b7c62851ccdd5f3db5f9b20cd6f0f3f638df7c7d

Download Submit
C:\Program Files\Crashpad\settings.dat

Filesize
40B

MD5
21051c2d2b882db5fd154d892912f80e

SHA1
efd828e31a80c5bfc0eeacce5e107bcbfcb4ac45

SHA256
bd26b7fc11b6811a1569980ded3004fd57ad9de98942460f30db817694b879ad

SHA512
5b8f81ce088beee3e198a65294d026952265795ce9d8bdd8b598a241905c14ba89110cafa9bb4b9af1d97c188b91149d6084ef7bf3b4cba320d6a39722f8f44e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
37f1dea9783468c41048b68bfb9f3361

SHA1
00e44580626a10af5b6b45f541d6dc36d999cc79

SHA256
753679cd4e64b9e96a8332df4395c6a50492fe0ce3c5b7db16d18ea87e4bbe08

SHA512
7205c5e836ea0a60122f8d196401caa994e79b8620b820395c1b068aeeee78a3cbc6e072eeef7ac78458b1702ba44a04b98994222ce4e08227f45e8927e53ebc

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
5c67fb6584facb2c575e85028c2c4437

SHA1
3269d11ce9c24e019b618dff9576e34006fd1121

SHA256
a04b21dfe0a02b1b97a470db4fe4f73ba32432b2d06d9bcbc49f199dabcf7b84

SHA512
7a5bac86b5500a4bc94b615c8a867b2a4886dd248103fe2ea6781185ec85d214ecaa5db260011cc8ffbd5fc346d54b3a7fb8e4bd449e6beadf2e777db3cdfc3d

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\b31fc29c-bb00-4c79-84d4-3b62cfed9487.tmp

Filesize
520B

MD5
d7bdecbddac6262e516e22a4d6f24f0b

SHA1
1a633ee43641fa78fbe959d13fa18654fd4a90be

SHA256
db3be7c6d81b2387c39b32d15c096173022cccee1015571dd3e09f2a69b508a9

SHA512
1e72db18de776fe264db3052ce9a842c9766a720a9119fc6605f795c36d4c7bf8f77680c5564f36e591368ccd354104a7412f267c4157f04c4926bce51aeeaa1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
588d8999e5ecb0c19634286486fea21e

SHA1
afd804bc796e342f4c49edeb6d4bf5ec94c6af83

SHA256
a23cdf21177e4691dd2c7efd6bac360dc5f3bdc3e7bf29edb24ff0ab04c90d3c

SHA512
35fd830ff5861996ff658bbeb360020f4549cc3c71fb817bc27706f439dec0d230663b5b6db04bf2c2d9b9a82107e9c348caf001d73065a3d0a36f938980bb1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
9a4e725c9404e05c3c17f0b266d26c6c

SHA1
022f2e292f398b530af6864eb7a2424045b91bca

SHA256
7f5ed472ce85c13b1a2de9493032cb7877c1668c5dab443e3e42333d4b6cb377

SHA512
0ed1b94166b4dec25eece2e281468fa3f9a8521ea45335220d7522ba5c2ab7dbb6f4a4a534b7a6990131f351922ead9c38e015849b1cca855a73263824c72ad1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
a8cf54419129b874864cf206392ece0f

SHA1
2d8f78e5d6951faedba3257d5794227f34c50967

SHA256
b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f

SHA512
02a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
b61d70d0041736cf642592a62385e740

SHA1
4f64cd8c3e34192ad85b1e7ae6731adf86bc4516

SHA256
50f5da14d11b5b2ebd30c88e640d3696b181be6e56211f1eb0b6fafd26f4edfa

SHA512
6aa7dfa6c4f181eabca2cb2a41de5e4bc8d88842039e30813366117a91fdb552f155d3de2d886c9b20f6ac46ad71e58b6fc4ef1a34a21d8b1d5b540c4e3d0513

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
75ad4af23ce540864e586b24644c7bc3

SHA1
95d4409e3875038338476f4d86470dca9be6716a

SHA256
3a3021a9c81fb7b243292efcb1f3bc95d13f28953fece2623df6df01af21ad0f

SHA512
6ced1ffe25cac40ab4afff629ed474ca034add074e88d9287e0e32e20c232e2fa7f4a50e6747d14bc95bd2a163691d0605bfc06ada37bc244b19180abd14cda0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
7abe02999a7a07bc1e428a2eee3cc557

SHA1
ebde9ce42146017802bd145b1b4eb1f7a3789639

SHA256
e3beacc141d7a696a3b7b1b57a53ae10424f8176ab961716b68deec7d86aa269

SHA512
ef0aaede82e181d101a23d263b312271aa9c449518bc4d084ea8b5e6ceaf148e7ba08cd609c0a90f744e8135042905042395411ad0854b34fb7f7d5bbaf4bad2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
fe589c4a7d55a11b5106461afa45da4c

SHA1
58f7c651fe0da738efc87773b6467372044797a9

SHA256
84dfe57a8a3af1fa9b24f4e320d02cbb7e4ab732bf81de56764ae7cc1c6c0828

SHA512
bf4bff8fda3fd8c78a95096f5ab398805528f0924f8f8b0ba4fa2041e2f1546e3c8e8508df5c98ee467f312301d4687d58a090b5ebc8f6acd01efa800aefb955

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
209424761b8a0fe991027a8bd19a7bef

SHA1
00423b74b95459c08c8d70468715fa2cf92b8811

SHA256
e4dfb7c459036143452fa62a486bdc1d247663b1d33daefd041bb509f8bbe279

SHA512
31da4a0f10bd0b787f9e4320320c8cbd755fed61a5f9809a1cd18f2f0577ae5278a000f1d16da1296ca1dc407e7ea735ef063a09932e8a2bb842f612df060277

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
b9eb32a9812f4daea2e8fdc50f0309c6

SHA1
066401b09be1773d1dc5ecb1b60a571b47291545

SHA256
b0e702ec004e726af785bd6007e72df0b85863b583a1b2c12e6296b1b77cc66a

SHA512
63afef8a474045edf80545c5711fd2624a9570281db7cefcff3694091ad07f9a5d2299f9f2117fd9f69386ff3348913f0d2cb57d070ee5d4477c02bdc14221f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e0812bfe5dd95c991d308908ec945372

SHA1
e08490c2ff28bd4a7b809cc5bf08956fe05dd132

SHA256
37306f9f1db524fd7f0ef51b282615fc3afe74a4769d8cb6280e4a293369e518

SHA512
237876b05ab00d3382ee40dec45017f3b159bc23eaa5632a5b0e0bc1b27a536c1b1303e871bf14714e84d3680e9121a23780e08a66a44bba1e9f2f4292c1cce8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
9cec3e7b32a7d244cd32849e29212ccf

SHA1
e04c22dbbc619b9c25c89ac8dbcc32cbf6f99a3c

SHA256
f6c415362f1626f098e74abeb4a7d5b3c8385b1d77f10ffb73956e6c4e70a135

SHA512
ff38e8e6234b9bfddcd4c9cc521ff5c0005ea1f8f8b33d589e64db125de856b0427411edae250c329a9bdac97485af0ab30c27e1079b9ac73e301f699c9a555c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
3d9de6274b7378c188fbdf71d4661e29

SHA1
e1e026f195c60679d30f8468e0144ebc89a74143

SHA256
af8055e8a3aa39c8a8523b45f7c5c87fa18a210f07421f249e48cf9a60bbfd10

SHA512
a5974273c5e739e9af60de168631e3fcc2f1132c9d19e44f319fdb375e3d0c0b71c3260ca236d915d350a7fcb845271df4be28806c544aa16cb7c60eef8bdd31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5777df.TMP

Filesize
1KB

MD5
d8c020453a9745d3cb6e966101a2171d

SHA1
599f394ce1fdfc46c360ccc073892dc2dc98eb4a

SHA256
f739329dcdf0bc11443f2eb18f48b5f721183d20e9269cd2ed983d35021db35a

SHA512
9001b06ed627273807c8cbb383febb231f52bf813074896f4f6a7ab20ccb0463ca135f36524934e4586bd872877a8a128f60db53d1591ec8a166d4bfe0894723

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
2af7b09123ad24a917d06539e3f4862d

SHA1
69a7e9b62f01c3ceb49a302b32555f5da66e311d

SHA256
9873d9848a04a5bc7b760518ad6ea7b0a62035e2a1dcce627a265643189ac0c6

SHA512
486520fadfa2d2b1331bc3776948558c844ccbec94f7b833cb76348e3054a406452c697e01f66f212093a2899f84603f02f038b57d6041ab2401d9d70ce4465a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
1211abc49454646dfdcdcd09676d0cc7

SHA1
f2902d075856cd6b55b41ece82a0af2d5fbdfc2c

SHA256
50d6813374eed3a2248bed66944006774b3f55add3693becea012ecaec5fe631

SHA512
281bac2644fbb7e9a4d4b5434255951a3e3d30a6ee0947caca7e446edb976c7e523a7dd5239e4bc220b02110d618ace558c989a37cd9181de92d33a6450c4c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
7336c6ec22646da0e9540cfa492a5fc4

SHA1
bc067d851433a4ab2240c82c2e6625f56c2a6d1e

SHA256
e579ca0ae2c77e6e22d0766ebb65e37029c367ca93df0f590adad56f1439f8dd

SHA512
af329d5d8497a9c369e166339e2c56ea0f121496a3a01d80449133566a24ce646dcac862d1fe20f29a524f0e7126284715c7a6fb58ed70d9df6d430d1024be47

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
a9f4b42ca25d660375db3d8717e3630b

SHA1
7ac5f941f38469d4113fd285435dfb4179ecd38b

SHA256
f93d6c64db67639bf129a67022af4a90ac50b9a41cac5ad4f891c2dcf3f64e1f

SHA512
5726cd1204f31f855843c2e6c938b0703d0d643f098a118f0486cbdea1f370c010d3e7c764c8fb2abc314affb5853ddde8e8f440051ca9d0aee2884aa6d477cc

Download Submit
C:\Users\Admin\AppData\Roaming\a0900b797489627c.bin

Filesize
12KB

MD5
d4310c309a772509ed40e602f8c63557

SHA1
19f7b0b4a661d154b25a86b4cb257af8309c6ebb

SHA256
35a936d23c8d903783d3445529d8ebe1acd67f6b79da85556071a9c34e40e345

SHA512
45fb43326827ed5a895c7035cb0fbade02d3fe8f390448a0592c079f45b4dd90a6c6dd65c5975715b0e01efaa8d96b80e7c1db19be06c50e9e3ca1a22915abaa

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
17f57cd145a0fb81fbae07351877d215

SHA1
3f9b954b807fd3a808441921ba16439e564f0bdc

SHA256
d569567e4a02c6394eda027ffa98dcf6148481dc9477887749983736a3d30dd2

SHA512
a0609c68221345608b2450f0d547a79e9db3b9010d66b153d9b86694e8a67a579e2d19e87a2ee4dc755617fa6476127b30a0eb68c079ed281f7ee0afec790760

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
9b26c3d9b54b87f837a84bf0031ba9b5

SHA1
fe69fdbbc04c32905d0c1687627511fb39b1f45a

SHA256
54f2d778e22fc57b32c2d865e5aebaea7f92a2020cee542452ea6b8d361dd188

SHA512
a56c5533cde0714e1c23166e212957ed6c4aac6078fae26adc1715329d4d9f886a2ac70d66a8c01ba273ccef6ef42b80fa28f4c6d80910587311d36ca660a165

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
1054ee6959bbb70d90a0241e4348c9e4

SHA1
827182ec187a93edee8e1a61c24010a8e1e2b6fe

SHA256
f58e319653c17455f8d3264f63a65be2b23022adc7f36f88fb30c3aa83ca5937

SHA512
2d26b5a7a76bfad70f78f46da2d81a90868e92d33fd3a4b6a9e34c588a0cec03e21b5d1dd2a50bda8f074027743cdc04227d9a6de66b117d655901260b6f30e3

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
efe9c7a26e3d61a965d800c0ee993b95

SHA1
a2a0af9616b3a9b9cf75d2cb2c7ab0f6e90bd23b

SHA256
a7b0dbc938fd551351a3ebd7ce950255267e4d042f57ade22ba3eacf25122b1d

SHA512
34c08e8ea7ec04955b2bd45b85e7dabe28c40df66c4b4141e2edf6920c5d6d153914851fd296b70b76fe7c36b91015c385bb8f9e43f195ea9458818872895850

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
82f7b4beb7719c6855c424b1db676d67

SHA1
1aa73a0204ff93fc4500f0f69cf57b66e09a523e

SHA256
802bab8cc1f2d1979878a9b7d4d8693344e96cfc23688c3f847469b73bc7b858

SHA512
a02ed82cb84d6948aa8db73440d74d762a8c53b7d9968d41ac6e737ed6a668c99efa83b3339841d2caf68b5c1ad50f0d87ca535c59ef7b5f3599a4d25bd319d6

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
8e02f86333aee714e273266d4d184c0f

SHA1
48ee0775a8069aa3b0d980784b65a27b78566a99

SHA256
bc6944172a6e7fba8307c33444f2c447a8ced5f3bd6dad351a62c48477d53e3f

SHA512
f09168596d5de23cd743304ee1a22f13b7e983ae6533c0c656156396caaffd24e9abd4cf367371d31922c27aa50fa58a5529bdec4ab4a22dbc79f160161cab5d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
6e83f9b081cd3a16a43eca1b6a738915

SHA1
cff9990d7fe77f35f22fe7670e2e15fc92b75cb3

SHA256
66381f39dbf4e1eef64243d9a3b1dd3e2c70faa3856be1fedb88147db00b693c

SHA512
5c00c689c432a6c7a3c2b37b44efb572dc909e99d12e6e5e65fd1bc78dc5be6f155d2ee0829f55c04dbbd3220f8e0b4066eb5c2fb006bd0477a300951beed9fa

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
174875d73c8684fa5e000a1176b4446f

SHA1
e250f412c480f83b2fb2045208dc792f42636ec8

SHA256
3181e5d51dfba792cd848d7c149e16139388f10698ab7dd3413b90efa1b35248

SHA512
54fb9044da1f21135fe6143b7ba58f995631da906feab76d7df9f1f9256425c109f533441412ebfd1f1432dfcdea8ea0386d414cba5d39b4a3be89c24603c672

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
400c363c40bc147feb4b287faa607e16

SHA1
92e7f3119f88c39023a05cab836a17a1fb49506c

SHA256
ddf1e5e322b87f43bb42c82a338f22c7c2c5c8bf6f2fcc2128b3024fe15130a4

SHA512
f811e571a5e9f96b4ca27d70683ef13d9061886881b4ebe6c192b1650ceacbab6b64e58ce41dcc8866226dd4030967d5fd76f4b446602f1b6da4833fcc2bb173

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f27142d3e45229281d52f38d69e7a5bf

SHA1
418dee270c74d6a25cde81cedebdb1f108cecb09

SHA256
aee0fb2f9e02e0563b522909042e511e35444901ff445bbea6ef706c70340e04

SHA512
d3c10dbb840b9f00b20f1aedd90e4d9d637c6f2d10a36f9a238edd6d36ac4727af756afe3275aff5cf378572ab760209bc07843d81bd978a7a91d8f5b456152f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
71a128e66f12c17fe341e33f50b91b9d

SHA1
bf679b46b2f7493860f3edd19eb14891a4994d79

SHA256
9e20f73eb36d343e2384a24844889e46eeb8479c77d654b3ffef3bab14968e30

SHA512
d0059a9996f29227f8f1d711a9e9623a45cb88d66cb6afc20b6e6663227f2b8cec95a0c6884bca66abf94ca4523381e048d59a9fb04fd97aa6a38b7b45f99fb9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
64e4471825ed4b3c85b82fd4d11065c9

SHA1
b4831fd372aa8128bcca39de57a2228e9f8464c6

SHA256
bf51ce0eeb5873e5461bd83cdb127a2d592f10e3f0bf40a8c0e762f1eee845db

SHA512
47a1f84be0dbb587c95709ebaeafab4806477957fc9697c799c4949d52414def4cbcef2382a71237fe5cdb7d46239d22fac882c22831ef2717b764ec4ef3bc9b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
283d511038dbf1ea61d73c2b8b1734a1

SHA1
2ed83670edde4a946400bc89145d9d242815ae9b

SHA256
6a8456a5e74613b74def3568bcc0c5ee20869aaf52379402978c486662a22cf0

SHA512
5ac41f285666e40adfa0edd602337089f5cf331ec069b0ac9b275c715eefbdd4a1208b3fbe8ac1da9d1ad2a6634b5a79e337e61b17833f164732b3f1210f98b6

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
57b3c949b0af9fee4fef17b04886d0fe

SHA1
786d37908a3c7037aff6afc5980a6805ad14944c

SHA256
25b3b0f0a29915e10ed80c0da50dcfdb69bc2b1e36692ada3751316ef6ee5600

SHA512
fedeecad0407218313038a4d5ade9cfdf2d5de298553494a2695885a93f2cedb9cdca516435ec015a8a22ff790e4746999cc5993c56ff584c8ed3791e2e9398f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
204c0a713e5db2cfd8b7de7c6a37462a

SHA1
eb0ddedc619108d9ea45c84854d106c5147bd6e8

SHA256
d67ae55043c95143dcf2d247e72a817a4ecde7646c996c5ea0e001368e663c79

SHA512
d29beda73ddebd7eb9caf802cfd6b508c739ca9a0438bcbac6e6dd2e05ca1aefe8a577fdbe0f6a0faf9a21dc28e47f931c7cc47082d2de5765f84c154af0353b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
78d3eb4e1527933bea3fd35efa549b64

SHA1
0e75e6fb524eb1a963cf2c3f03ba2b5170f124e7

SHA256
564891aeac1cd855e52d8ccb8be9257d730f6a50619b31be49da5c2d4f19178b

SHA512
6ccb1faf9706f8131d113b74372169454bb0c800947ec2187e645d0b8a00867d0d9126b66687ff9f6ef8e06e2afd198bf6637e1fa327f317d0726d188470896c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
21fda9cf4ee05099fe5c4269018ef365

SHA1
d492addb5c08a4e8138f4405c1c70b83d34884d7

SHA256
08906c48e26a696c566ca6fff1b477d3504e28feea5b0e978ceaea94bf466461

SHA512
dad2bac67f19dc0ce6ae673b9f779dc377b8cb85a6b9d01c5de7781848329d5606461e9535dbd60a4ba098fafbdca7db8d8df714af033dc419f81e70eef786ac

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
0f30d118401d277ee1a8596dfc928a01

SHA1
56399017896ec432fae9d2cd7c0bf32dbde0beb7

SHA256
cc74e2c28721012332c9c4b40e48bf06085302b903d239e31359bb65fbb141a6

SHA512
952a48a8b0e716139fd6a0d129075118a5dd6e9d7b3fb6e84102cec1907b84acd284d7a659626b56cacde42b07bfc61311227685fcd2c8197ea667ece7bf41a3

Download Submit
memory/8-373-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/392-375-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/452-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/548-378-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1712-379-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1920-352-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1920-70-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1920-465-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1920-64-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2120-355-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/2336-354-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/2436-99-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/2436-87-0x00000000016A0000-0x0000000001700000-memory.dmp

Filesize
384KB

Download
memory/2696-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2696-552-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2696-17-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2696-11-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2812-35-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2812-21-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2812-0-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2812-6-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2812-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3020-36-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3020-602-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3020-26-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3020-32-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3176-353-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/3264-350-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3264-83-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3264-77-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3264-715-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3504-60-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3504-75-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3504-73-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3504-54-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3828-582-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3828-358-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4220-357-0x0000000140000000-0x0000000140129000-memory.dmp

Filesize
1.2MB

Download
memory/4324-369-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4476-370-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/4540-43-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4540-49-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4540-51-0x0000000140000000-0x000000014013D000-memory.dmp

Filesize
1.2MB

Download
memory/4588-362-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/4844-380-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4844-716-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4852-374-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5116-356-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/5360-727-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5360-555-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5920-517-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5920-577-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/6036-717-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/6036-530-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/6128-565-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/6128-540-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download