7529a67dc06b15b9f3dd0b7a0e1688551e64bc3d5a197ca6894c5d9b0b459fb2

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
Size

5.5MB
MD5

a1f279583aff06621067f02101cb17b3
SHA1

5a5a52a3f6bfc57f5f69fcd302df7921a97c1f6a
SHA256

7529a67dc06b15b9f3dd0b7a0e1688551e64bc3d5a197ca6894c5d9b0b459fb2
SHA512

207232dbf610e33c817da4b26b32e47b56789a00bc230abde50feb6a7eb3b5e62d710a3eeaa7cb2d2045ad26339182e91b5b0b197d1a6274c2a355b6c184c766
SSDEEP

49152:jEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfk:/AI5pAdVJn9tbnR1VgBVmK+thSa

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
1400	alg.exe
2664	DiagnosticsHub.StandardCollector.Service.exe
3584	fxssvc.exe
3736	elevation_service.exe
3832	elevation_service.exe
2992	maintenanceservice.exe
928	msdtc.exe
3964	OSE.EXE
3896	PerceptionSimulationService.exe
1012	perfhost.exe
4068	locator.exe
1580	SensorDataService.exe
448	snmptrap.exe
1016	spectrum.exe
4976	ssh-agent.exe
5064	TieringEngineService.exe
1716	AgentService.exe
3672	vds.exe
380	vssvc.exe
4520	wbengine.exe
864	WmiApSrv.exe
1748	SearchIndexer.exe
5668	chrmstp.exe
5768	chrmstp.exe
5868	chrmstp.exe
5948	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 26 IoCs

Processes:

2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exeDiagnosticsHub.StandardCollector.Service.exechrome.exe2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3a83c826234f82a5.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exechrmstp.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{8AF88020-77AD-4F36-932C-90EB553F7474}\chrome_installer.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	chrmstp.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f402eede9d99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007b9d29df9d99da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ffe4adf9d99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b62552df9d99da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fa612edf9d99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000a3ee9de9d99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000547622df9d99da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007b9d29df9d99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006929f5de9d99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000044e3adf9d99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid process

3304 chrome.exe
3304 chrome.exe
6136 chrome.exe
6136 chrome.exe
6136 chrome.exe
6136 chrome.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

3304 chrome.exe
3304 chrome.exe
3304 chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

pid	process
3304	chrome.exe
3304	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe
6136	chrome.exe

pid	process
660
660

pid	process
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2404	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
Token: SeTakeOwnershipPrivilege	5004	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
Token: SeAuditPrivilege	3584	fxssvc.exe
Token: SeRestorePrivilege	5064	TieringEngineService.exe
Token: SeManageVolumePrivilege	5064	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1716	AgentService.exe
Token: SeBackupPrivilege	380	vssvc.exe
Token: SeRestorePrivilege	380	vssvc.exe
Token: SeAuditPrivilege	380	vssvc.exe
Token: SeBackupPrivilege	4520	wbengine.exe
Token: SeRestorePrivilege	4520	wbengine.exe
Token: SeSecurityPrivilege	4520	wbengine.exe
Token: 33	1748	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1748	SearchIndexer.exe
Token: SeShutdownPrivilege	3304	chrome.exe
Token: SeCreatePagefilePrivilege	3304	chrome.exe
Token: SeShutdownPrivilege	3304	chrome.exe
Token: SeCreatePagefilePrivilege	3304	chrome.exe
Token: SeShutdownPrivilege	3304	chrome.exe
Token: SeCreatePagefilePrivilege	3304	chrome.exe
Token: SeShutdownPrivilege	3304	chrome.exe
Token: SeCreatePagefilePrivilege	3304	chrome.exe
Token: SeShutdownPrivilege	3304	chrome.exe
Token: SeCreatePagefilePrivilege	3304	chrome.exe
Token: SeShutdownPrivilege	3304	chrome.exe
Token: SeCreatePagefilePrivilege	3304	chrome.exe
Token: SeShutdownPrivilege	3304	chrome.exe
Token: SeCreatePagefilePrivilege	3304	chrome.exe
Token: SeShutdownPrivilege	3304	chrome.exe
Token: SeCreatePagefilePrivilege	3304	chrome.exe
Token: SeShutdownPrivilege	3304	chrome.exe
Token: SeCreatePagefilePrivilege	3304	chrome.exe
Token: SeShutdownPrivilege	3304	chrome.exe
Token: SeCreatePagefilePrivilege	3304	chrome.exe
Token: SeShutdownPrivilege	3304	chrome.exe
Token: SeCreatePagefilePrivilege	3304	chrome.exe
Token: SeShutdownPrivilege	3304	chrome.exe
Token: SeCreatePagefilePrivilege	3304	chrome.exe
Token: SeShutdownPrivilege	3304	chrome.exe
Token: SeCreatePagefilePrivilege	3304	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

3304 chrome.exe
3304 chrome.exe
3304 chrome.exe
5868 chrmstp.exe

pid	process
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe
5868	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exechrome.exe

description	pid	process	target process
PID 2404 wrote to memory of 5004	2404	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
PID 2404 wrote to memory of 5004	2404	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
PID 2404 wrote to memory of 3304	2404	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe	chrome.exe
PID 2404 wrote to memory of 3304	2404	2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe	chrome.exe
PID 3304 wrote to memory of 896	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 896	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2220	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2220	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2220	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2220	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2220	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2220	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2220	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2220	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2220	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2220	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2220	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2220	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2220	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2220	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2220	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2220	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2220	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2220	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2220	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2220	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2220	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2220	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2220	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2220	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2220	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2220	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2220	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2220	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2220	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2220	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 468	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 468	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2608	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2608	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2608	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2608	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2608	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2608	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2608	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2608	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2608	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2608	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2608	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2608	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2608	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2608	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2608	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2608	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2608	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2608	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2608	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2608	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2608	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2608	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2608	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2608	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2608	3304	chrome.exe	chrome.exe
PID 3304 wrote to memory of 2608	3304	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2404

C:\Users\Admin\AppData\Local\Temp\2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-04-28_a1f279583aff06621067f02101cb17b3_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff6853cc40,0x7fff6853cc4c,0x7fff6853cc58
3⤵
PID:896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2016,i,1614294174493834013,1009566336296206283,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2012 /prefetch:2
3⤵
PID:2220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1896,i,1614294174493834013,1009566336296206283,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2492 /prefetch:3
3⤵
PID:468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2112,i,1614294174493834013,1009566336296206283,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2604 /prefetch:8
3⤵
PID:2608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,1614294174493834013,1009566336296206283,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3100 /prefetch:1
3⤵
PID:4448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3096,i,1614294174493834013,1009566336296206283,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3160 /prefetch:1
3⤵
PID:4360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3848,i,1614294174493834013,1009566336296206283,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4484 /prefetch:1
3⤵
PID:4876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4720,i,1614294174493834013,1009566336296206283,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4728 /prefetch:8
3⤵
PID:5592

C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5668

C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x2bc,0x2c0,0x2c4,0x298,0x2c8,0x140384698,0x1403846a4,0x1403846b0
4⤵
- Executes dropped EXE
PID:5768

C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\initial_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5868

C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x2c4,0x2c8,0x2cc,0x2c0,0x2d0,0x140384698,0x1403846a4,0x1403846b0
5⤵
- Executes dropped EXE
PID:5948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5000,i,1614294174493834013,1009566336296206283,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=208 /prefetch:8
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:6136

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1400

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4392

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3736

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3832

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2992

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:928

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3964

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3896

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1012

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4068

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1580

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:448

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1016

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2716

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3672

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:380

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:864

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1836

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:5264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5652

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
d3f6ba00450be74a9f873b34a551ba40

SHA1
dfc32a586b5b72cd96dc7234b4beef4cd743540a

SHA256
ce1bc2432613faf390e04ef7f499d8c76bb48c99d699dee52bcf7208b91dd0a4

SHA512
c31125f00f7266283366eb60638e4ce44aeaa4c29cf945ccc2f65ae1f3076b66c4e2ab3111e362be827954ddc32c05fb88a13743192aa7051dcfdc0d87e1f0e6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
765e843acc915809d3ebec920f77778a

SHA1
c3ff96cf7001a0877bef18f928516cfb8a7e3af9

SHA256
7e2249c1bbbf97ec8beb75703e9c94722aee4af896de25aa371e741e3b49449c

SHA512
4bfb14d23f2ba395554266eb869c62324c58ad41bd79a75916f87256a953ba4930692bf8c0ec63cb28d974e0704422447c9fa5855d7fdda44721a81082ed21b5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
04368fe0424c7f50563b0958b5ce7f2f

SHA1
15ca7a9a2166bd8890cfe5ca906787e0c6795b7c

SHA256
76447b3f198961d8e39001ef3932af2de2bfd1291dcb880d7d1ef18e547baabb

SHA512
6befd5a3ca47cc3d6bc107e45073634fe379ddb97d35db4095da384c2112e6d95453eda27c8574813d41193510e2f543ef0674b2bc819b85f30ab7dcf8584ed3

Download Submit
C:\Program Files\Crashpad\settings.dat
Filesize
40B

MD5
83dc51c40db797cdc9a26736f13aff73

SHA1
c62d693a5382d01fe1fe2dca82655890c52d492d

SHA256
5e6fa285fed99271c4136360c6e29dbe489788783c5e2cbe565fe5e6977ded2a

SHA512
56680a4db4d3bb977e947efddbff4a5816aa00db8ba9010e1699abac5d411d180389ce535e92804006804ccfb89304f1bee38b85041114f9b3e33cd5af984306

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
165f859fe51a583fa67469fd5a62ee1e

SHA1
5f6fa8211eb7e5b25c77712484b3051011146975

SHA256
bf9d6edf9b7a713d6db7057996cc4704bd371f210e8e47745d316474478fa8e9

SHA512
1318341caae1e2c380a4490990594052622728aab8179163f4f5d2a8bb4fd7e97a458508c56f5f37e41a813890d8ab21d68c77f087b1eab64225bda4917ea468

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
c3a81abda23a59471d11938936975510

SHA1
113c314f12230f7aa31dae99629be7e2383e72c9

SHA256
30c5d7135476b35967daa5463b7b2bd7473e42a67ca23a20ce74d5530b460d2c

SHA512
b2e4764fd1020b00593f17ae269b5f6374c45db9f704f1cef9b277ae753b7dd383c00383cb9ceab8d223fb73534cc718ad383a1a5640d9dc68fe606c6b6c6774

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\c7474537-0b12-44c1-9b32-8c8bf2685934.tmp
Filesize
520B

MD5
d7bdecbddac6262e516e22a4d6f24f0b

SHA1
1a633ee43641fa78fbe959d13fa18654fd4a90be

SHA256
db3be7c6d81b2387c39b32d15c096173022cccee1015571dd3e09f2a69b508a9

SHA512
1e72db18de776fe264db3052ce9a842c9766a720a9119fc6605f795c36d4c7bf8f77680c5564f36e591368ccd354104a7412f267c4157f04c4926bce51aeeaa1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
1f44ea48e7af58e9ded20b18da223ac6

SHA1
3883679b8eb4d2ce18deb7f3c622ca4d06e0cc32

SHA256
25da7ce9ea71d463f091833fe71748963c25e4b5bb483854873b919cd5f07e32

SHA512
ec3dba04b69de39f45397fb0510a825ba3e6950853ee9ed46f2880f0667269f7b0231b45eabedcf78cf05dbb07f0d0ecb1ba50231fb3fc2f062383a47a7a8fc3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
Filesize
649B

MD5
58455847778fa75a22d3b676c87ef93f

SHA1
cc6b06b83a44ff9bbc1b6a9ba506c9eb584427c0

SHA256
1b6c8c14ec9a70d7ed30dc5a54d7d10fa79ff5169b32481e93545e9100e28219

SHA512
fac2839ea71876cfabbfa03e3daa9740e55be3ee81209a744d9cc0ceffc3b8b253d2947f5f88037e4218a4b23262526fe5dd972109d12d2d254e2fa2c6e38a8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
192KB

MD5
a8cf54419129b874864cf206392ece0f

SHA1
2d8f78e5d6951faedba3257d5794227f34c50967

SHA256
b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f

SHA512
02a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
01c13683e4cecb5012e198e0cc9cea74

SHA1
ca611d1580b463986749e356cd7f6e072695a11a

SHA256
fb14136e02116892a9b0c970bb963184d96dfdd45316ac2a8ccdbad9de78d8c2

SHA512
2d05686e72a3c2bb2e8a86e9083530b1b2c28bc57d4c1175ff56fa101f2e28d0deab7293ead50bd7bf054a60cc70013f7ef93429f80c10d700edf33a072e420a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
c9945b9615d809f27bdfeb486517d1c1

SHA1
80f34f09cb0360746e58ac95c12ad1c0d23f76a3

SHA256
e188c061c11bbc309cada4254cd43cf4638d35e94ea5385d862aba27a0857075

SHA512
71d7eb7ff911b9514ec8bfb9f55129bc06a1c6a4c50a55cdb245586a2a44dc4800271f8a32809a6ca7c6383b3c26af55657f916a78d9309e350a13ba35c2c11a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
1da03c4160b60becc32cfed3ef45b2a8

SHA1
e1c16259c26c38a38f0827c9b9e08fa43b7233a6

SHA256
2576482d1e94fd17d5d3ca08d996f1652bc4171c9b5032b50d7c01b95cfb3c03

SHA512
d7270becc6723ab067acf6db0d14c591a2dbed73cbe7e487ca060d2f5099bd87a6c5b2d47b3defe62e7da6f6f623ba11c4dbd3f16d5c6d0d749d210afe0d0073

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
24ab03763948a3ecea534c0f7ea7bfd7

SHA1
df6e13dde0d35ff194dfc04e1f79f176b6cf1b24

SHA256
6846f399b36ddacb9c87450522f922d923076d7b10bdcdf2adcb0f8d3ba08558

SHA512
7852e8570702dc36c07788b5b30146eca478a698212f74577dccc7656c410bdfd0aba7e07a4c22f2b4586d065da9a5ca7ef81ffef79d13744f4f632b4341d39c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
80ba650cf54fd8c670343b7a3ecf3e54

SHA1
90d7157d570f8a058f2ffb93319f78e5ec6e5196

SHA256
78ac26bf9a7b5e34633b42070f64eb600815ef32e97aab4fbda99c18744c96c0

SHA512
6c2b7f2a19c4d652e69d88f5014bb2b8dcf3e68666a041d4a9e7e371f23ad6f3416e5707d23701f416ca13c15387ba78e42634507895e40c7210ae3c8615bb6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
a426a31b0695b10d7ab907c6e012778b

SHA1
8856ddce99bfd69eb9ee80244c1de24af1bd59d2

SHA256
0623f7001f32a5aebc7fd17523192b7896c27c041410b8a3e4e1326891b0efb1

SHA512
9acf141322e590a9774562491be1aeaad1f145f5c8361468bb73c4f37f5a05bcabd163f65d65b015f9636c817c0b25a398b265588a3e2282b0adeba64ab21a37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
cab6cb7f949398bcb14ebdfa6922216f

SHA1
a8219873ec244ce84c910ccfc2f90223e422afe7

SHA256
06d576aa063e37f74f7dcdfcbb82a32b51df793c983ddb219d4751fda0813515

SHA512
0de4c0c159f3c7f46177f1ac429fac8b5c75425c7571c5a7a99ff41099070a6276f6d13b334461656a66e38fa3c03ba06dbc94c5c2ee8160249a29c3df426087

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
1de97fa7d2bcbf96e37258f4b25eefa0

SHA1
f046c06ed2483a994c8b9e1284b076d49dc73cc2

SHA256
7712f695239bcab7896f177562c274bf041061a9ea0bd87752c8bb4d9d5c4f3d

SHA512
be46e73f4f8bf6869ce9bdb064a76f5d61619cde518fab952ad5c2e981a95e863488db6a000d19377dbf7f8a216e1af0dba68c5bc2b7c557cd40cf6c60ec62ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
f9091bd2e525d7f9ffb81c237679358a

SHA1
af0f0b22a8a263f9e14d0a717244f542073928c1

SHA256
7280a84474100d6ec8e93d6af893fb72a9916e7628618990ea9471ff11955823

SHA512
addbef43e4718f92a4423ee55b44440cc95b5a7baa87e1afc369b380e419acc34ddc7388eb01f1686aa1381c01b120ead169ea8da8882810fa45e0b47308ece4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5777ef.TMP
Filesize
1KB

MD5
115721e2f85c58cfdb41a3acbad25a98

SHA1
7e177ad3d977e38da3731e6423dc2d6e49a0fe31

SHA256
4c705cba00a15431f11b5c5fef9fc14bad973da6d5be8046e08cf8b7430c3c64

SHA512
9749866c16c46db00f8da0bd79472a6b29cb62159605c6e9c6365186a2f3cac56efbcd872d8fa8307d6605d2bddaebac86ec72e7fb6dbce906a8696186df427b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
77KB

MD5
04384a27877483c320081403e1d94813

SHA1
b98b9a5b364d113deb68494812c6abe364fcc712

SHA256
8f195bb731593ec323d9163809d7bbc20e0976cdda1a12cbbf9887ce30be9f6f

SHA512
fad8145b73afe8dfe92323db0bbc179a2189463f4f0589aaacc304712183a515bb740b17fce8d0d39a32b3e9c4aacd4ad5d9aad795be316f5cac1e745c1ff76f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
77KB

MD5
776dbb628ad74bea926c9a8bfdad326c

SHA1
33f488bf843d734228342b636f2334072071d512

SHA256
06c367aa8488acad62388fb6625018ca3f04f215dbb6098284fd7ab3d4adb6d5

SHA512
9b4e15cc7fbacc9d316fcca88bb8dd9fb25b3503ae7c11384825af74879f057bf9184a2bc8bd00fb36df16f04ed548f7bdad8738fd4f4f31946ef380b26d9b76

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
2d0f3e2e902060189ae162dcaad58696

SHA1
b7db1b40b64221a4fc67cf940f9e50d791b6a9e0

SHA256
5eaa28df743750ee802869e83ceed15cd9e07f5e41310769870dc3277ee9bd2b

SHA512
71f467cf5188b74d1c7812f233517f7ca8a2fbd9a405a6e8145faf7c335742eb9fa1fffc5638fbcddebf19f26ca57c24788011533526a63b1f90ba8aa4b6c919

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
f10704a27a9b6898525c04630894d133

SHA1
70cc1be658fb7ad2721949224b707e1993c5bf74

SHA256
d9dde75e9cb48e6a91aefa73b07440636b2373d504acbab6310c66b304ac8a9f

SHA512
be53bc2edcdffd7c7ecd5ecdd2565125d1b3477e69b15b3ea8536c566f597c1b5c8cafd0c083b49b3f24cb5cf99cfdfc75fc00501fa35d7a8068c9c86020c679

Download Submit
C:\Users\Admin\AppData\Roaming\3a83c826234f82a5.bin
Filesize
12KB

MD5
5949c4b5cf8c27d76b8087f089395c28

SHA1
315152a61dd5b5fd824c7c649c7efc251bc12545

SHA256
b7a52125be287a7a90534c75594c8a7ef5b78149ee122f5c8293b1eaf3ca6cc9

SHA512
b8d6216be33c4e7da039171eaf272f4bcd8010decc3a2c798d1d5a70fd4d30c4780b4e66d5084e22214e1793a3d7db96cfbac91e5ccb3c02fd3adee4e788487d

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
abd34ecef2952a1ef934d26ec2810ea9

SHA1
b36966f8b305dfb5f4033c6c7066b63b8ed1dc99

SHA256
a6e26bab43d1c3da0e2ebb9737208108c87e5be018bc0c9627e67831552154f3

SHA512
b2b29cfbc485e04426f6b0977103c6095ab31faa2fd16ecc704552518aac382d658446fc2993e89e2b0e6f4c08fdcc3c0ff7e5fcdc6612583274230104f0fa23

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
41a7c28ea96637b316b3ab3159b14951

SHA1
eedd80c4b0ae6efe8694651234ca4f531bb1f597

SHA256
c8cd2f8eabf4aa4479d63ae40c4e9a62b4a6f3e66d53bf8e4b1f5f8e35e78c7e

SHA512
a97e8eecff179ea8792eb25937f9506504658bcbb1c463301504a8d8c3d11d1efb5b11043414134c9f5ade685a9d6da32ee3c50e8f8e2c6e9fef4a1eb6f1e280

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
24662faa792dc716d6c08fac5d54ad64

SHA1
ee478baf773bf01c25bce8a1678d64dddbc57381

SHA256
905121ee058b21577581b0adc6d92619e4fcbae501b305fbc0d83bac79c38f7d

SHA512
b427e6a01debf26d80310bf88dd957f319c0f7f901af0b7da2f08b1178a594334f02ea917c2e4ed19b88d620eddab9c616c9bb453a05335f3d46d3a0d613f7eb

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
335b017441228f97c0af95c0a0eee8a4

SHA1
a132ecf90aeda1692e4d168ef1dfb4ac2a98365b

SHA256
50708555454567774c6dae84e5b8996cef32b28b6f5e86b9e99ace1b993bb17f

SHA512
19b76d8d8c68671822c6473e9d737c82731c0f7b49cae3ebb1570e41bb15de42d07bd63a003b93189c847b46f4b6f253f1363397e4430962775d9ee1a698dad9

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
cb9ed81f080f6028fe4cd4f4f6490b28

SHA1
ceb4741a2a8dced7a66ed14fca3ab3a3c311b903

SHA256
db8287139cb2df9113e87e5bbdb79faa1efd9325e495b323bb7775057abd229b

SHA512
38fd0fc4f5b3d46120396e92a1367810185ed3aaede58c6cf2bc01f06839c5104fd649d6f2729d4bdb847daf7637a95f25ba9cf9e213d15248038b50b033d12b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
9685cb7233f6e4602e863b0431802a0a

SHA1
7fa70b5b8518fe799d3d36e561e5148a79036d54

SHA256
15a64584ff6b9589ea6693b142252b6a96ece5d90c1048def7cb3939660de33b

SHA512
d99a9c24fd86dd54faa7d32938cfed752cb8b4fd3a2d48649295dc3536a97581ad335bc4c298a6326ac0845f632382644804d01ace2199f621adcd9ba66ac359

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
5e4a5f37a5e13e183b0e2f6c9951b49f

SHA1
b8fef0f02dfc43197016e844ef10af2fbf585d48

SHA256
0735fa455a33d9c6513e41ab3d53bbac846d6f86a87f93a4f119a33d68580d5d

SHA512
a3220b715a8cb8b195a4421116cf09610e5676fc0d5e1239b742225c3e4e2aa0501532d463c8151f9d7ddf33c0cfda84c726cb84778b6bb61a3e44c7127ee6e2

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
ae5ca660ccf873792fe059fda47fb855

SHA1
85a978ed82bd86b18ad89f56241697a4d62b397d

SHA256
36f10a883ca63431c3edce0f0146545c1a0cfff38194bab0b76de37e8dafcb07

SHA512
e60d3fc31c1afa8974b7ba3a747c37a2036312ccd83a4afb058d2c7f87fcfa26f4bc811d08bada25d97a04df00607fcf88c9e1bef1acfbb4ced90f9d84c037bf

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
96e5d9cb68bf60396cff2d1b6cf46f97

SHA1
892d71e01cad6da6586291711dd03669e5a95c10

SHA256
8160e77a3141011426382dea12efd5e71c1b72baa8745578da031e9363d7e432

SHA512
5467853e357c94b2f10caad4e58e45f44d89a13024fdaac97005c74ff30b9a831ca54d8cbc23eb5112571bcc2ec97d87165c703e7dd5677cbbfcb6a8bf07433a

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
dcfbf388cd62490e615ecbbb219b52bd

SHA1
9e5ab6cf079c0c50e9dcf440a463c31732dcc298

SHA256
854296a73681a67a551a302c4c5b82e90d630ae9e11a515ce7326305397b7e84

SHA512
8a166708baa1f29f08794ef9e0e01f9552143c4168ce5221c59eb928390adc5c71df4a94cae7608fb91bd27198a9f809ff4737662b661b43872c4ca965b29549

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
83aab366c2d447d0dcb4fc65b8c15200

SHA1
5a97db688c6e09c441ad0f99a505867c211860cf

SHA256
09eba7af21e3f10858c55140c9ce0f1affd1d43201f2991960d3f1a7cc33a0df

SHA512
bd39c028cd68cc24a44e26b5eb1b9d417827192a57e24be2665873a420f72e9eb68a724956bbae8b9e8b41335e4c1341e934d076254465257f3bd5cee46e651b

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
03ddd2a6a822d15f1c30f63f0903e96d

SHA1
e83c1bd355c876231269ad49e716833f0973da06

SHA256
59caf4ed83ec54849f70f448b0071ddaf65db7950de2bddee90be4d4057aa2de

SHA512
bf8f922e89938620406d9655a4f2982c91056ad451d61364a5759a397aa5c845239aa98559a01b7e6e5b01f8d732435b0f3e904049c1f8776ee9e6ebec0937cf

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
321184444af81eae630ca8292aa1c381

SHA1
f1363080d436a3f2c190b39b8d6eff5f5b7e0a70

SHA256
bbc484a75094e85f2ecc02e59184e2e0e44fb7c8f8e385bcfb64a1349a109a3c

SHA512
d5f001fc0aa2d9004984be616721c954a45072a8c86e28a2ce67ff61d8c85b129d9e01a87dda9ce2293d87de5d70aa41d5f9773e877cb8abb49928e72a39ea48

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
7f4be5d6fa90cffd9c8de1acc1abcb7c

SHA1
7bf836c8eea821bcd96006fef7d8d741ab7531af

SHA256
aaf84fba823a23db77c9318fe1fffb18a8f4c33af6cd19684be3550279550ddc

SHA512
110072fe2c4b9a5a98b67dc46840b1bb2334b4a5036809dc0891831836c3e71d6989c9ab9ec4702e20391a000a8ea547ac22cdd709105e3b1fe35a7060867033

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
d972a2e167a4960cab336ea31a87284c

SHA1
a09b230cedcb91e2bca17e7775d4c3b20a413bb4

SHA256
57aef2b474b88bb33c432ff2e2540818d0590bfb6d5bd26a37e885b2cbeed8a8

SHA512
72e6b95245181ca78d1b11f32f69610e447c3c76392b2253fa4919a64dd695e5468d3e7d7ec06df719d2289f878db878c955b652cfe1068b0c657ccc2bf1b6bb

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
d2e6361385930c26010f3c89952de5c2

SHA1
f20963ec8049daf796dca0c84d5a7e06512b2076

SHA256
601d398ba54da548555fd18256702b3aa05b1deac4332d0a721ff282f0ee3383

SHA512
4bf578ebd02df8555ceaf215b1e81197aef498a7ea32b1e27cbdf05a7cc3a2bea870574f8ec96682888162891e6eb02395d874747b2d62938f1b8552dde2c10c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
2e6485039150f330076bb3c8f418f7f4

SHA1
b9e43180c22f8c2d5499703049715534730ee063

SHA256
9baad98e25df15981001a161b2262ec1b408f939be14bf9d56f0ff645efa1116

SHA512
087ec26d28a32d8c1399d3e701d2753cd9ee8cfd7434cde4f3c0f7a1167d0c63142c12e8ce969746f8831f6b0d51afc4742dc4378d8ff92c44a2fe9d2b8ac058

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
57146b9e50b6e5988c8b8d679e5c7e07

SHA1
51fbb8059ff44dba5e684463e569f70ca97e6a9d

SHA256
5db7eaa171ae7c07f1d67da850357901d8ac92f4ac79c6d7b9def5eb1300309a

SHA512
a164eb29d399dd1fb0f7c12dbe36d24c682a94a86cc0a4ff8343177a72fdddff8ce5240a1fb903810c800616450ceb5f84d7172556fd2b2c9016986f72e52aec

Download Submit
\??\pipe\crashpad_3304_AOVTZQIJJCMWQIRL
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/380-272-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/448-255-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/864-632-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/864-274-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/928-248-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1012-252-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1016-258-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1400-630-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1400-29-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1580-534-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1580-254-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1716-149-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1748-633-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1748-280-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2404-22-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2404-0-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2404-9-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2404-6-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2404-27-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2664-41-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2664-35-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2664-245-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2992-69-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/2992-79-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/2992-81-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2992-75-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3584-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3672-265-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3736-48-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3736-365-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3736-247-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3736-54-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3832-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3832-246-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3832-59-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3832-631-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3896-96-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3896-251-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3964-250-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3964-92-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/3964-86-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4068-253-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4520-273-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4976-263-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5004-615-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5004-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5004-11-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/5004-20-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/5064-264-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5668-510-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5668-412-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5768-430-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5768-634-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5868-441-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5868-499-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5948-645-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download
memory/5948-444-0x0000000140000000-0x00000001404AD000-memory.dmp

Filesize
4.7MB

Download