4795eb4334e2a993ecb3b27972622da3bf7087960fa396f81f00e500c874a40f

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
Size

5.5MB
MD5

8cf18bf91e903799ab592878a8bdd29a
SHA1

fdce21c99ebf87090301d8f3b1c436ba9d4eba5d
SHA256

4795eb4334e2a993ecb3b27972622da3bf7087960fa396f81f00e500c874a40f
SHA512

4621d1c1deee00ba9cc49fad191f46e179ddfcd8ed74820acd8724000ecf35acbbdcbac24a69c90c6e2f5a8ac5242a1b09771b200729fdc9489e8b7ba95b6ac6
SSDEEP

49152:xEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfq:1AI5pAdVJn9tbnR1VgBVmwXvYCp3nyG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
1088	alg.exe
1368	DiagnosticsHub.StandardCollector.Service.exe
5096	fxssvc.exe
760	elevation_service.exe
5056	elevation_service.exe
4812	maintenanceservice.exe
5004	msdtc.exe
4536	OSE.EXE
2512	PerceptionSimulationService.exe
1916	perfhost.exe
3784	locator.exe
3168	SensorDataService.exe
628	snmptrap.exe
4604	spectrum.exe
4496	ssh-agent.exe
2644	TieringEngineService.exe
1632	AgentService.exe
4472	vds.exe
4580	vssvc.exe
3044	wbengine.exe
3148	WmiApSrv.exe
700	SearchIndexer.exe
5260	chrmstp.exe
5288	chrmstp.exe
5452	chrmstp.exe
5472	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\bb736dda293b476c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\java.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005f0eb28e39a6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e8c0a38e39a6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133601904946268293"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f81fe48e39a6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff4d508e39a6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3712	chrome.exe
3712	chrome.exe
1632	chrome.exe
1632	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2456	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
Token: SeTakeOwnershipPrivilege	1092	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
Token: SeAuditPrivilege	5096	fxssvc.exe
Token: SeRestorePrivilege	2644	TieringEngineService.exe
Token: SeManageVolumePrivilege	2644	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1632	AgentService.exe
Token: SeBackupPrivilege	4580	vssvc.exe
Token: SeRestorePrivilege	4580	vssvc.exe
Token: SeAuditPrivilege	4580	vssvc.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeBackupPrivilege	3044	wbengine.exe
Token: SeRestorePrivilege	3044	wbengine.exe
Token: SeSecurityPrivilege	3044	wbengine.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: 33	700	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	700	SearchIndexer.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe
Token: SeShutdownPrivilege	3712	chrome.exe
Token: SeCreatePagefilePrivilege	3712	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3712	chrome.exe
3712	chrome.exe
3712	chrome.exe
5452	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 1092	2456	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe	81
PID 2456 wrote to memory of 1092	2456	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe	81
PID 2456 wrote to memory of 3712	2456	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe	83
PID 2456 wrote to memory of 3712	2456	2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe	83
PID 3712 wrote to memory of 3556	3712	chrome.exe	84
PID 3712 wrote to memory of 3556	3712	chrome.exe	84
PID 3712 wrote to memory of 2744	3712	chrome.exe	95
PID 3712 wrote to memory of 2744	3712	chrome.exe	95
PID 3712 wrote to memory of 2744	3712	chrome.exe	95
PID 3712 wrote to memory of 2744	3712	chrome.exe	95
PID 3712 wrote to memory of 2744	3712	chrome.exe	95
PID 3712 wrote to memory of 2744	3712	chrome.exe	95
PID 3712 wrote to memory of 2744	3712	chrome.exe	95
PID 3712 wrote to memory of 2744	3712	chrome.exe	95
PID 3712 wrote to memory of 2744	3712	chrome.exe	95
PID 3712 wrote to memory of 2744	3712	chrome.exe	95
PID 3712 wrote to memory of 2744	3712	chrome.exe	95
PID 3712 wrote to memory of 2744	3712	chrome.exe	95
PID 3712 wrote to memory of 2744	3712	chrome.exe	95
PID 3712 wrote to memory of 2744	3712	chrome.exe	95
PID 3712 wrote to memory of 2744	3712	chrome.exe	95
PID 3712 wrote to memory of 2744	3712	chrome.exe	95
PID 3712 wrote to memory of 2744	3712	chrome.exe	95
PID 3712 wrote to memory of 2744	3712	chrome.exe	95
PID 3712 wrote to memory of 2744	3712	chrome.exe	95
PID 3712 wrote to memory of 2744	3712	chrome.exe	95
PID 3712 wrote to memory of 2744	3712	chrome.exe	95
PID 3712 wrote to memory of 2744	3712	chrome.exe	95
PID 3712 wrote to memory of 2744	3712	chrome.exe	95
PID 3712 wrote to memory of 2744	3712	chrome.exe	95
PID 3712 wrote to memory of 2744	3712	chrome.exe	95
PID 3712 wrote to memory of 2744	3712	chrome.exe	95
PID 3712 wrote to memory of 2744	3712	chrome.exe	95
PID 3712 wrote to memory of 2744	3712	chrome.exe	95
PID 3712 wrote to memory of 2744	3712	chrome.exe	95
PID 3712 wrote to memory of 2744	3712	chrome.exe	95
PID 3712 wrote to memory of 2744	3712	chrome.exe	95
PID 3712 wrote to memory of 4084	3712	chrome.exe	97
PID 3712 wrote to memory of 4084	3712	chrome.exe	97
PID 3712 wrote to memory of 2256	3712	chrome.exe	98
PID 3712 wrote to memory of 2256	3712	chrome.exe	98
PID 3712 wrote to memory of 2256	3712	chrome.exe	98
PID 3712 wrote to memory of 2256	3712	chrome.exe	98
PID 3712 wrote to memory of 2256	3712	chrome.exe	98
PID 3712 wrote to memory of 2256	3712	chrome.exe	98
PID 3712 wrote to memory of 2256	3712	chrome.exe	98
PID 3712 wrote to memory of 2256	3712	chrome.exe	98
PID 3712 wrote to memory of 2256	3712	chrome.exe	98
PID 3712 wrote to memory of 2256	3712	chrome.exe	98
PID 3712 wrote to memory of 2256	3712	chrome.exe	98
PID 3712 wrote to memory of 2256	3712	chrome.exe	98
PID 3712 wrote to memory of 2256	3712	chrome.exe	98
PID 3712 wrote to memory of 2256	3712	chrome.exe	98
PID 3712 wrote to memory of 2256	3712	chrome.exe	98
PID 3712 wrote to memory of 2256	3712	chrome.exe	98
PID 3712 wrote to memory of 2256	3712	chrome.exe	98
PID 3712 wrote to memory of 2256	3712	chrome.exe	98
PID 3712 wrote to memory of 2256	3712	chrome.exe	98
PID 3712 wrote to memory of 2256	3712	chrome.exe	98
PID 3712 wrote to memory of 2256	3712	chrome.exe	98
PID 3712 wrote to memory of 2256	3712	chrome.exe	98
PID 3712 wrote to memory of 2256	3712	chrome.exe	98
PID 3712 wrote to memory of 2256	3712	chrome.exe	98
PID 3712 wrote to memory of 2256	3712	chrome.exe	98

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Users\Admin\AppData\Local\Temp\2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-05-14_8cf18bf91e903799ab592878a8bdd29a_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3712
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff8c3bab58,0x7fff8c3bab68,0x7fff8c3bab78
    3⤵
    PID:3556
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1912,i,3320466948629164642,1762200571246742350,131072 /prefetch:2
    3⤵
    PID:2744
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1912,i,3320466948629164642,1762200571246742350,131072 /prefetch:8
    3⤵
    PID:4084
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2160 --field-trial-handle=1912,i,3320466948629164642,1762200571246742350,131072 /prefetch:8
    3⤵
    PID:2256
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2828 --field-trial-handle=1912,i,3320466948629164642,1762200571246742350,131072 /prefetch:1
    3⤵
    PID:3804
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1912,i,3320466948629164642,1762200571246742350,131072 /prefetch:1
    3⤵
    PID:64
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4332 --field-trial-handle=1912,i,3320466948629164642,1762200571246742350,131072 /prefetch:1
    3⤵
    PID:5308
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4436 --field-trial-handle=1912,i,3320466948629164642,1762200571246742350,131072 /prefetch:8
    3⤵
    PID:5324
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4584 --field-trial-handle=1912,i,3320466948629164642,1762200571246742350,131072 /prefetch:8
    3⤵
    PID:5340
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4848 --field-trial-handle=1912,i,3320466948629164642,1762200571246742350,131072 /prefetch:8
    3⤵
    PID:5488
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4556 --field-trial-handle=1912,i,3320466948629164642,1762200571246742350,131072 /prefetch:8
    3⤵
    PID:4428
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Executes dropped EXE
    PID:5260
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
      4⤵
      Executes dropped EXE
      PID:5288
  - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:5452
    - - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
        5⤵
        Executes dropped EXE
        
        PID:5472
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 --field-trial-handle=1912,i,3320466948629164642,1762200571246742350,131072 /prefetch:8
    3⤵
    PID:5900
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1860 --field-trial-handle=1912,i,3320466948629164642,1762200571246742350,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1632

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1088

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1368

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1452

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:760

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5056

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4812

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5004

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4536

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2512

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1916

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3784

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3168

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:628

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4604

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2452

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4472

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3148

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:700
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2012
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
2532ff69e8110bdab834fcc207ebb83d

SHA1
12418988e6e09dcfb3a5142183444c6d7b6934d3

SHA256
e78c89749b75bbcd485b0d820c757e91ce220125377ecbe552c081dd99f40a12

SHA512
45f3230acb467a0169f3b8b518aadce7cbe00d265fead77eaf5bb98496a30c34dc1b6a0cb656d9ce2de2dd99819dff3b3ac673d351313a66fd53573fecd2e989

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
a4dad57945f2084f8266e2ff15d8bc2e

SHA1
ac48c7ddc67959e11aee12d50f8e49f909df1437

SHA256
3beb528cd1938377fbc40056a8a998588dabd53b27d28f6367f750ed558ed113

SHA512
0f7995747a9b13f99e9369aac6472e5641b1f78b2587116b19c4773a1fb74bdb1ace4b522def3c3adb66f0d119421f5d1598588944e25f21f26e7ea48fc365f1

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
852da7b1297443747742b5ce2524b64d

SHA1
8ee1eff0bf24d49afd6a1df011ef4192f478b989

SHA256
fc0719829f92087e788a1d5d0d9b3a5a11e0566a1432a4bfb2fec05cbd40996c

SHA512
94e0666e4490a31e767295ef36f506c3537e0279dafef8d3d092d61f9487fa76ab56158cbc1be023e3143275b1ef03a2fcd9b1835d7f4dd944a5fa262771fbc2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
7c2baac7ea68d060e30e5efe352b1918

SHA1
e2eff0ee491c8277a5d056e1e469479c7cd380af

SHA256
6e7a94e7362c1bd05a6bb7109412dd8d773e04ee4fa383d37c568a1ea6b0cae4

SHA512
f0af1b0c7c77e4f352ec2658ab903a1850f17fe2d8fe8ee521fd7bb43a6496dd5f4cab9740e5ce028ab62aa52455249a20f497b75487cf956c54d9fda686b4c4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
93de047b4672ef67f87fb31e4979f84e

SHA1
cd1ae38b0484e1a76eb52039e261c6f5513e3daf

SHA256
e57b7dde4e3166e8e839bc40ae286baffd62b3f4a6925f0b777e058f8377983b

SHA512
0fb2beba2de15583287b928c57ccf77771021aa0c935018670c66a5068841c00b90224056a986c2f523f5d8ab23a36078d59557061d3c1f0881a41a166be1fe7

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\6fc4f979-d8f4-49fc-9cad-dc9424afebe2.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
23e6ef5a90e33c22bae14f76f2684f3a

SHA1
77c72b67f257c2dde499789fd62a0dc0503f3f21

SHA256
62d7beeb501a1dcd8ce49a2f96b3346f4a7823c6f5c47dac0e6dc6e486801790

SHA512
23be0240146ba8d857fc8d37d77eb722066065877d1f698f0d3e185fcdae3daf9e1b2580a1db839c1356a45b599996d5acc83fda2af36840d3a8748684df5122

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
53f89bcf0a85a03e8938d5fe951cb5b7

SHA1
5fe91f8e6c2b8c74c343ccfbb6482f5d4dcf5cdf

SHA256
fceeef3d6af6c67d6332f9ee498f480acabd470632eecde02c72254b99d373eb

SHA512
ac3cf250dd7336d6d52e0279216b694e199e7d8d74681b0fdba111f806dd4e77e34f73d67127a6d0a3eb97f15a399a4b443fada8c590fae3623837bae8d3c017

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
8d7582d88afab9508ffd1911c5b417fe

SHA1
be5322a202a3b06afeb3bc3dc0b98dd150880642

SHA256
0e3e3ee744e90d36ce75ffd9203477be4f3b2f27343573d5fae2a840306c12e7

SHA512
1bea1748fa772e3b3bbe3ec058691d72f663041793227f8d97511220d7e2b703d92de06cfb4162167cafc96a913ad3e1c412fac057fc790e975656c65c004e10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
acd350998081dd1a2408bef66618fd1b

SHA1
bb249206a94031a93cf809459a3dc40978f7e974

SHA256
272bea57748d0e8fc416a7ba8e175397f99d265565f83432ce85300af50d978c

SHA512
c910c1808142b13dcad998ac6e913f5e0ac111a42ada1792b2dd88f276bb6c9db9ba3d0a5a520262d0a17ee33b2641a07bfcb6d38fe019b481fb868fd4d9d531

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f04c26f6651941ba332e326412262902

SHA1
1a34352e445f7a6fd5daeb95211a3abf27a4e343

SHA256
90eae89454021559157a1ee88ecc7fa197fa5fac0c22bcd7c8d4e80af85c1877

SHA512
25e573e31a790b38a5816015e1323f4733004bfebead553280e9b4aab403d0ecebd3aef7aa392c708596d27618e2ff868c3553679a9d6c799338ae2158b2eb48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe578472.TMP

Filesize
2KB

MD5
8441fa327ce1f6c12f371a1535e655be

SHA1
7ccca62179f1eb9a2d47c3886ad8ad4bf5b15071

SHA256
975c8308bab1dce91143c9ad18effdd216bc367fccb3195ec2d4fd50177d2158

SHA512
986088d4595dc5a9e166ecc0b439a878a24d512f236b2756e377050c0cc7423143d3aaa3033ba5163b28fe8551313ff985d6df2ab109117186e878ca4a98d0a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
0f56fba41d47b0ffe65fd91151002e7d

SHA1
9206c30ed99936b3c5184bf4f9ef70988e8621d2

SHA256
83e276d542e6ec3205562bc01b71f331521fc2a37ffacf97a1c8da3b5a494a19

SHA512
fb11e6afb6674b031c0f2b1b0d7ef575eb337b6e8290bdbc7dff0b14d9650682563cbfafe4a416891b7484b462f1f82b474cf77f0c3a635adbfd1ddfc161d22c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
50bd4ee559014d4c8fc8140624a0d84d

SHA1
295ce8202017accedccf38997ca4079b7a376fcc

SHA256
b83ef811cf601948a285cc6ef71aa460228ac06f999b82e012268391da719748

SHA512
3fb6651a47c12462b05b2b6068ee0a9d8dfe561264218e444c2bf6d22896ea0c7fa5745e3bcf9b5e96d287395cd484d41640504d52f502640c86d60cd60b15af

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
1f956937dba14070b30512b7eed9c4f6

SHA1
c7da3b6a29acdd6e0eab40bc150c5240db53d992

SHA256
d9e1cd354fb05de94c6e981a68807f064b5025d7e3970663eea03be0f4dd6313

SHA512
b4d1dc70fe21489934c0f620ab2331507bdda7c7e9dcfff7c2a237d38d94ba7173eb8502de5b3e33597e1fc28f4ce53d29f4f39a812b4e78f6635488f0c6d68f

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
d3e2ca5ced9e879c0df337577aa018e2

SHA1
6e19a53b58149ae82f45fec6471f8e48c9c60e43

SHA256
f9218b5e39eb51d1f8e7dd57745450f93de334fa82c44a0326c96b016d4cb268

SHA512
d5667de3c6d1b201a1b9587007cb1bab85f7e35e3a35538a02b7b757143780c0f371ff87e9a2c96e4f953c82bbd7f439b6ca7129540e6fb1bf46cce0e6604150

Download Submit
C:\Users\Admin\AppData\Roaming\bb736dda293b476c.bin

Filesize
12KB

MD5
82b3ad1eaef6688a26cc4464c1dc3a47

SHA1
77273cff9640b672b485c8bde3c2849c0c1d1f06

SHA256
aa05b0a520e62440c1d05b3253f989c1ee69cb68edbbe3c23377242ca05e9e38

SHA512
d0f2522715163efa2947608cddba590e4104698ae7e88407c357a912e1c10690eca273197fdd16c6889999bf2f3f0627606e5aa5d055c173603ce41766450aa9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
f94c98f1ade502dcb7409ede33c6bc47

SHA1
dd1124181d48450cf4ee9b5eb059e9d2f98d5440

SHA256
a80b1297383c693b51ca1bf2644e0de3beee8a21fe3ef937b3fab2a9065a7097

SHA512
883ed0b005781be23812ebf8fdb665bf66ec9fd17e441101178554ba31f21118d484ba9a1305b6214c25eee911f29cee4fc52f04631a2582e0331006fe2cc3bb

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
d0c9c40c70fab0f2d8802c8e9846e329

SHA1
1d45d77f5e4e1cf7277d39a9dccf2e401118f474

SHA256
ff18acf6ef269c774058d1479caeac576d6a41cf167f6920aebf6268c919d4bc

SHA512
150c2cfd48da1f0b5e2e9589aca103d1c023c610ef2d2c94705a9a477d7770a2a07f0c5ac8a8d9cdc474e2080ee7692860f310c64d6393a4b11eae75217d65d2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
64ea5a87bc446871f64c7aebd8a4df86

SHA1
cef83e783288034078a8a4e70407ffd95cf73dd6

SHA256
59f20ddbcc17fd623099697b387798335f0878679924aa06a212cb5770858272

SHA512
7198ce521e933b2c25d28d98629ba5998c3c2967437346bb252442dd2cbbde56490a51238c6e2a4a771316d26a9a00d82e5bf71a1a557ecf1764d128c1124f0c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
30893a9811087b60baabad59860ccee3

SHA1
b0919ccc0da1838f3eefbc5856ded95f3e05eabe

SHA256
c420ff1e11ea7cd7c180485c1666ce5a73e3fafe017735192b774dcdfd39b27a

SHA512
6a5e97fef3a7a8c189cb185ebff492d667f3329246669e25f04b1ce1be767a6f1306fe4431a9a2fd6020a34ee788a7e6a7600cbfdcd71e2a831b1bc0f9aefb93

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
f407b6bd4b3432fdab76cc723d9908e9

SHA1
a70339f51050a5903b71afbcd8f1b047bee1b227

SHA256
89096407882c6599ee5f594efd62d9c7e5a728cfd27ab3bf02338830b2feca0c

SHA512
a8d0387ae3b1501550ac2d033293a1fa9238445ebc3b252aac1cdd07350427015d99b9db21b0feeb19ac8d4229b59cca4c6ff56929c1410877ece86a149d9c0e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
a79eaa90a0bbe1e6c82090e373230a5b

SHA1
6b868dd248469195a2e1ec12a2dcc8dd3edb8360

SHA256
8ba5a8a7623c7ad046d46888f938e3b5eb9a375e396fa943bbd352400ba13da7

SHA512
71a3d0e3d981927c7cb890487afe9eb6847e96bd48c9a5de6e302e04149ab91fdeb22bc07ae40bae7785b9b6439b63bb49c8d8a1ff4e47b2ecc6e716a789e18c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
165af9b51cd4769dae35d5217624c67b

SHA1
d011eb1fb33910bbe84afcc13f94efa901852e7f

SHA256
cf54792dd38d537e0d448c44c968e014634ef49094d4b2fa8ede66a4937aa600

SHA512
ef1714f46bc0bdafbed2cb3d594bc1299e9a26abd958cd55df0bc5602b41f94fcbe3fe73f853b044b12c40ae22bbc190a912eabd73ab44aa1d0e33ecaafc0710

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
3b9a2ee4fd0ca05c7247a54d88b87503

SHA1
f2f90a6531b187ca99de7fa0935aafdc68fb9504

SHA256
8f89f672cb5366dba450084cd97018f7eb5fdcf631e3472a20e0ed59ffb898eb

SHA512
a85951cade9a9c80c68f50fb0cb373c392a5c45e7592638310bc35bd169b510abd0c4384a02e8e55a88652beb036793d8c5327ae8957269d5b4a46ec7de8da76

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
591fc8bcab7994067e76d195ae73a606

SHA1
87fce3aef18af8caae8599b57c7b9e08cce732ea

SHA256
b9420b052dfc62776df115a57a7e0dfb43a677770038da34ca07099c12870c2c

SHA512
36664f45db600ea2d37d4567141860f1308199a08a6fa0d5be7f0a90f016b46d6ba771fe6e08ab788cc87c8103630fb2b71775c1639271490dd60c22228b93d2

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6238f5860c5f7a86b98c2329f2054298

SHA1
0b0e2b5cbcc37fa45141947b135c717a22b4d12b

SHA256
68ee9ea097b22f42f23995d45f3aab4608ccb98b600d29326e42e9156bcdb534

SHA512
0179f0ca7d9c021a0ee190390ba56d595a6e10389629fc3d25d3eac5ed8d84b8e1b2e6a25718414eff0263730f60e91262042526ef90b9bd362255d485c6ea26

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
33cf25b6c1e901ede5db0b7317bde521

SHA1
6817b7204dc6d363e3f700ba0082a1efd951f396

SHA256
f02a0fe011e94848ebf2b44e7bb23e77839e520453a1f4b963d98ec502880122

SHA512
8ed5bb7065947f668149021ae17eeb656681d897e4f03891ef7d3c57e4f57a0254a1d62270d810a00c79049ba25d0ab8725ad72fce8852c4d532332577a98846

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
6b9f8ad630f5b12090963546382112e6

SHA1
dfe39bae87ea55c355587d6ad8772a67e9451ee0

SHA256
ea28bbcb3a00235fad47793c198f1362af6498fbf92207998a18dcae2d0db0ba

SHA512
0d5ebf7963c1be2885cb8fd0c7327f538183a0840870420f59d1fe2fec8739a528a64f6c7a1b0c112a9091fca72c0a17de1050e096ea1f644afc5b227434925d

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
05f223f5a8bc5770e357cb517449af7c

SHA1
2efe78d1d41467edbb0b3c521be26dc75ffd7e65

SHA256
fe4a6f914dbb2db186487beaeb546c867630c77da36d35350848016e918150e1

SHA512
ce0bcd4ff9e75e59b7a5b2f9dd363038bd76395c69ff9c1d5d8ffeb20f48dda9c1a3afa64718d684b838f240f7fb0c79d395b8f03590e3f1277ef72aa3628358

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
da0da8547276feb202b0fbb00afeed44

SHA1
0608c0e2fe6f06c3ac8e35eb7d174f843e62e278

SHA256
4b321e3c968391c8343dec37b52fb733d1aa7847635906403760fdc286ff0286

SHA512
421de6feb036c684f5c2776ece6f6bd82bfdd6e5fbdc20e89c576d99c1f652172407b89ff2e37c296a49692d139f8bcd46e2864694e1e6ff334a1726ef5c2c69

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
008b1e48bbc08eaad6f4e5e307961855

SHA1
bd4b945eae357751dd1e19c8dd4093252b7f9d79

SHA256
a989dd0914b86dac9bfe41e899b8414e662fdd3344c1554e95805bf1007653ff

SHA512
37012683ef36ef64b73165b2a36cca35e097873d16b331a204d09b7eeee468fe34c153931ca8565088f869f7aab1dadef533104c9fe9d9db53df55f3f171a14a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c6aefcda0deba10c32064dbedaa48446

SHA1
ddd4d5d9d1c8d279c5f1097012df1e692913d514

SHA256
09b0ec94529f2383120c7f2f66010db2b715c09663918eade6a2e2ba8b5b573a

SHA512
b9acc8793e50d36070fce910388dc15801a6e178a22adead4e28b190a9049d3d602e4a7949563a6187411b327337f3e6afd36b6d921074a553c3a312138aa354

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
6ab92b08ffca1100730ac04c0b03e664

SHA1
0a6a428274a24bc8c9ca1f3a20bf47e2a0848a75

SHA256
db32c6c6e19bc83ca5d880028e6ceb5c8185a8dd629e90181193e3ebd3919871

SHA512
631575b7001bf40455dc920f5aabbe22d8be9e0181c8ba9953eacbd64f7495f26034539b1cce3a7b91312ed90bde7ff4d7f2d5f994c3c54ae102ce618fdfbc42

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d9df2578f9c4be0ce511894417ce464a

SHA1
079f482b92161036e8766c6373ea8852c79c8fb5

SHA256
f2b2ae32ff6a9b89512bcbdc3d3c30aad7d95a26367c75e224278867524a54f2

SHA512
f2963b1cdcc143c47ba45b94701055febf7ec45c3a6d283de29ab8434a9319c74f72913f0bf0c00fc61d97e5938279ea67b9e83a4faf51e6c47615ab72ebaa9d

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
440112092893b01f78caecd30d754c2c

SHA1
f91512acaa9b371b541b1d6cd789dff5f6501dd3

SHA256
fdf37f8111f0fabb5be766202a1a0b5a294818c4c448af0fec9003242123e3e6

SHA512
194c7b90414a57eb8f5ba0fc504e585ab26b2830ed0aae29cf126d5a6c4888d508c22984aeedec651c8644fb1f874fa558b2090488516b33165fe7985d2815ea

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
d5ddad3d1ba751204a95b89af80f5333

SHA1
3e789db13e41a172688c888724028734b89934f1

SHA256
77edbff977d6be3b16837622625a56a12d4e483f52b3544e181efe56d50760f8

SHA512
f7ebaee4378dbae3dd19fc3d192adbdcf8bbf5c27af94c804c8328a8d5f6cd42455da36e5fb9ac61b091ab3811746f698a0f32fb6419289e430d6f94d92df8d9

Download Submit
memory/628-519-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/628-149-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/700-568-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/700-254-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/760-53-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/760-47-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/760-57-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/760-153-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1088-411-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1088-22-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1092-11-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1092-407-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1092-17-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1092-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1368-34-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1368-55-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1368-40-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1632-185-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1916-134-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2456-1-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2456-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2456-29-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/2456-23-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2456-7-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2512-100-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/2512-133-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2644-193-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3044-523-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3044-196-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3148-200-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3148-535-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3168-481-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3168-144-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3784-457-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3784-135-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4472-194-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4496-192-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4536-89-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4536-95-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4536-130-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4580-522-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4580-195-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4604-191-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4812-80-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/4812-82-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4812-70-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/4812-76-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/5004-132-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5056-456-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5056-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5056-131-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5056-60-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5096-56-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5096-85-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5260-422-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5260-501-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5288-433-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5288-636-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5452-446-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5452-490-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5472-458-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5472-637-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download