354ed86bc085f29c711da06c26bccd49f072ae6e61b0701c919efb65e3409c51

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
Size

5.5MB
MD5

697c6e51c67e007beec7b249434e32b2
SHA1

12d265b30b119adf14d448481396a08e4b7920a3
SHA256

354ed86bc085f29c711da06c26bccd49f072ae6e61b0701c919efb65e3409c51
SHA512

d5d37a511e23bd829043fc20a86c4225134f546c5b029618d7dbea7ddcd4bd8dbb8a457d335df0bf85ec494d2634d94cf5eb7c5ad9d6903ba4e062a70b4d562f
SSDEEP

49152:EEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Gn9tJEUxDG0BYYrLA50IHLGfq:iAI5pAdVQn9tbnR1VgBVmQnlS

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
4080	alg.exe
1628	DiagnosticsHub.StandardCollector.Service.exe
4116	fxssvc.exe
2680	elevation_service.exe
2720	elevation_service.exe
60	maintenanceservice.exe
4860	msdtc.exe
2472	OSE.EXE
4036	PerceptionSimulationService.exe
2464	perfhost.exe
2436	locator.exe
2632	SensorDataService.exe
1480	snmptrap.exe
4792	spectrum.exe
2044	ssh-agent.exe
3056	TieringEngineService.exe
3164	AgentService.exe
1732	vds.exe
3628	vssvc.exe
5108	wbengine.exe
1884	WmiApSrv.exe
1848	SearchIndexer.exe
5544	chrmstp.exe
3716	chrmstp.exe
5860	chrmstp.exe
5924	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a5157397bb5459c0.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\java.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaws.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchIndexer.exeSearchProtocolHost.exechrome.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab40400c90abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a72b6b0c90abda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b5c4c50c90abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001ad1540d90abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e9afc0c90abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008eb5550c90abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003452720c90abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a526c80c90abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133607773989282006"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002865850c90abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid process

656 chrome.exe
656 chrome.exe
656 chrome.exe
656 chrome.exe
116 chrome.exe
116 chrome.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

648
648
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

656 chrome.exe
656 chrome.exe
656 chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

pid	process
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
116	chrome.exe
116	chrome.exe

pid	process
648
648

pid	process
656	chrome.exe
656	chrome.exe
656	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3644	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
Token: SeTakeOwnershipPrivilege	3312	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
Token: SeAuditPrivilege	4116	fxssvc.exe
Token: SeRestorePrivilege	3056	TieringEngineService.exe
Token: SeManageVolumePrivilege	3056	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3164	AgentService.exe
Token: SeBackupPrivilege	3628	vssvc.exe
Token: SeRestorePrivilege	3628	vssvc.exe
Token: SeAuditPrivilege	3628	vssvc.exe
Token: SeBackupPrivilege	5108	wbengine.exe
Token: SeRestorePrivilege	5108	wbengine.exe
Token: SeSecurityPrivilege	5108	wbengine.exe
Token: 33	1848	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1848	SearchIndexer.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe
Token: SeShutdownPrivilege	656	chrome.exe
Token: SeCreatePagefilePrivilege	656	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

656 chrome.exe
656 chrome.exe
656 chrome.exe
5860 chrmstp.exe

pid	process
656	chrome.exe
656	chrome.exe
656	chrome.exe
5860	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exechrome.exe

description	pid	process	target process
PID 3644 wrote to memory of 3312	3644	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
PID 3644 wrote to memory of 3312	3644	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
PID 3644 wrote to memory of 656	3644	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe	chrome.exe
PID 3644 wrote to memory of 656	3644	2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe	chrome.exe
PID 656 wrote to memory of 636	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 636	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 2876	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 2876	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 2876	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 2876	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 2876	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 2876	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 2876	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 2876	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 2876	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 2876	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 2876	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 2876	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 2876	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 2876	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 2876	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 2876	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 2876	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 2876	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 2876	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 2876	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 2876	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 2876	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 2876	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 2876	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 2876	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 2876	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 2876	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 2876	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 2876	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 2876	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 2876	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 1472	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 1472	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3100	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3100	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3100	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3100	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3100	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3100	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3100	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3100	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3100	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3100	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3100	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3100	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3100	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3100	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3100	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3100	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3100	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3100	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3100	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3100	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3100	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3100	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3100	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3100	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3100	656	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644

C:\Users\Admin\AppData\Local\Temp\2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-21_697c6e51c67e007beec7b249434e32b2_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8eb06ab58,0x7ff8eb06ab68,0x7ff8eb06ab78
3⤵
PID:636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1968,i,11728265147273231445,6275494689962754342,131072 /prefetch:2
3⤵
PID:2876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=1968,i,11728265147273231445,6275494689962754342,131072 /prefetch:8
3⤵
PID:1472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2244 --field-trial-handle=1968,i,11728265147273231445,6275494689962754342,131072 /prefetch:8
3⤵
PID:3100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1968,i,11728265147273231445,6275494689962754342,131072 /prefetch:1
3⤵
PID:1360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1968,i,11728265147273231445,6275494689962754342,131072 /prefetch:1
3⤵
PID:4088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4308 --field-trial-handle=1968,i,11728265147273231445,6275494689962754342,131072 /prefetch:1
3⤵
PID:5372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3896 --field-trial-handle=1968,i,11728265147273231445,6275494689962754342,131072 /prefetch:8
3⤵
PID:5512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4492 --field-trial-handle=1968,i,11728265147273231445,6275494689962754342,131072 /prefetch:8
3⤵
PID:5520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4836 --field-trial-handle=1968,i,11728265147273231445,6275494689962754342,131072 /prefetch:8
3⤵
PID:5328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4516 --field-trial-handle=1968,i,11728265147273231445,6275494689962754342,131072 /prefetch:8
3⤵
PID:3212

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5544

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:3716

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5860

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:5924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 --field-trial-handle=1968,i,11728265147273231445,6275494689962754342,131072 /prefetch:8
3⤵
PID:5828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 --field-trial-handle=1968,i,11728265147273231445,6275494689962754342,131072 /prefetch:8
3⤵
PID:4724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 --field-trial-handle=1968,i,11728265147273231445,6275494689962754342,131072 /prefetch:8
3⤵
PID:2240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4040 --field-trial-handle=1968,i,11728265147273231445,6275494689962754342,131072 /prefetch:8
3⤵
PID:3756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3852 --field-trial-handle=1968,i,11728265147273231445,6275494689962754342,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:116

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4080

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1628

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2988

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2680

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2720

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:60

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4860

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2472

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4036

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2464

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2436

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2632

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1480

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4792

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4508

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1732

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5108

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1884

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5972

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:3688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c85b728edeedc2c805c7eb06790cfa66

SHA1
c92c5f40164195baf2df4266a7784d6e104e6051

SHA256
5aaec8f6f0e008397d86419850aeb1b9518f55b0456dd2969d8c5595563eb6ee

SHA512
fcc817d10694ef425bb4d4f538613e04dae2522ca2dccb7c7d8f7086e6d866c82a9a4e27092976a74c29d7224567564ec635f93dcd8c6de45205616d62aacf73

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
e8a56674dc0f7db1f21bd504bf8510fd

SHA1
2464439ce42630c3ab69e830c70b3ed4b2bfe515

SHA256
b7b6fa4a0b51211fa11b9cdc35b897ccf374fb825ac8475cb7772339cc82c814

SHA512
268fadc9722e9f8b0994697b0eb6547e105fa26c00147c56c35ac93490207f17945280413adc8b23c5a3cbbfa39f1196b5b2141f1a949d1cb1c0fdc2565a179f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
6cb38465964144b2cad096bad9a86daf

SHA1
f0e2093728419eda5095129cf05d3239e4403520

SHA256
99ba5db906cfa295149da0ed16d3e092d3c417c1b26f1612d8eb2e0764372dad

SHA512
9ee263e0a6e29947513eafcd2b8341e925d9ae82c17c2c395825780277c0d733932df3bc9314edbdc0d9e359b2a6ce1722d7315b0a7cd7d9b8097e03d9099ca9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
bd141f6c2b80da4b7507180ddc242f61

SHA1
a6f68356b5095b82fa4f781f4201e2f616b11017

SHA256
b8f9b20fb6417e8728ac4b3b78c364901fafbc27ce1b25f159d2bc9121cf2b18

SHA512
fb1e7b118e742ba65c520760f10cafa525f6d9e0c7706fa302c9208a3dd3ea5b21a3877fdacb05f41fcca056434261175cf65b046f7c4ae4a7da35203e2405d5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
b265710fba6e7971bd93f7274085bde9

SHA1
0befabb69cfb166ea20639312a870f89a9bb687b

SHA256
8b34883f1b8a19c8a28c6c746739a33d3912ce50ef96295b33e8f9a4ad655227

SHA512
1a7112c7e660e1464026e0f5000327c69a6df38ac62f794f46e5e74edd4d2f4d58f2da93a8835ca0e1126a4e280f06fc74190769dba0077bd2c12298fbdd12f6

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\39c00972-69c5-448b-8b2a-11072c5ac486.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
772424160a740ab46f10d75ee3f72e87

SHA1
ce1d08ca4145f6a14ce3727642af5a997f73d1e5

SHA256
00ee43ab7fd127a5e0b86cb4db053f67544834eac165db5b54f4b1d406952b84

SHA512
920600c6e67f96b735a40de5e0c4bc1c585f49dc7e92bb07295bc0fed6b1ec3814f5813690d169d574b7184a6cad67cbf97718c224b0cd95cf7df239ab536d88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a68e82068e7f28c6e75d3706655ed181

SHA1
b7cef5a76656bc6b5adb6a08f1c24fc9221e0555

SHA256
eb353004f9185774ce381783e53d82e3ed2d2616aab47a7f654320d3a3ddf982

SHA512
26baa2358be86ba6a844715778b7553a927b806cb0aab80940defb4ed4c8c01707ebc9cd3a357af43d8469913b6fc8e2fcc597261fa0776ec048950a04c87444

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
10de7540d13426c62daf5784673ad29c

SHA1
5bdffe5b79100fc3cfd4c7dab4be3f0cd55a7c1a

SHA256
248f00b0fe5b4dbeb5f50c805ae9511b983ef5f770b4dc735303d87801bca69c

SHA512
7ac0188952e40204868f37d7bffb04595e22c80623c1369e1ee4f0d5aa25777f7725ffae89c70ad6881afbef32bb755236e6c1002545ef58ddaccc15d13e04bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
0bbb807f5a87fb411e5e53a81a94329c

SHA1
fb240ac59ae375fe03d2052af9e71dc3a9c9463c

SHA256
8b876f3139f01b74913581767fe06cc9dd80bac0d6244c0cc37ac751ff6632fc

SHA512
426bf125df70c1790dba7e86150aa0c7a4e369e671436122e090ab0df0d2f6d230cfbbeea5a18a993dc3ee74ae32d7bb9c8a605b556a7b4cede4b88071fa1fce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57782d.TMP

Filesize
2KB

MD5
62ef0b2d931dee49ed513961ece66048

SHA1
75ab8dd2d029abdc0701a541bf3076082b6e0c26

SHA256
2363d110b62787968a21ae43497d60d50ad3e2a713303aa36834d810f996344a

SHA512
ab8379f396349faf8b51cd6ef4cb31c2d16da749b9902654227175423872fa6d81447d28926892602644a35b30f8bcb9412ee90b0eea93108cf6eb1b8dfbea94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
3a3d74228894acd3a451011d78e58a2a

SHA1
6310af69e3966a3d6ba06a98c3f6e04fee7a3643

SHA256
356681bf2a3bfaedcac0be71db91d38b0ae1f1441c2fdec4e44fff28dc6d8ba6

SHA512
67f4c0cdad2cc9ce6bd4128056b7e13e3201d8821953e3aa340ec8fa4dc216c63a591b86a81e0c8be04cdf6d528e692e9d4d38093bbdfdfa43a532d5b60de8b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
282KB

MD5
3f3de3efb44717a7011a5febd3670af5

SHA1
d6d1e271553032a1275a3ab8aed7288bd3410834

SHA256
e7a7dd6d0aad00badff4631e85e9810c3e318245d36c64ff1161cfbfd894f515

SHA512
2af6970cb0e7ebb835a7d27f291a919d858feada24e290657531e41999785dfe9f7aba8751ba5455834d8927ca3b81a862c4146d75932d3e149c7b12b7a78f17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
131KB

MD5
b3d7330fa41d8b41239c1f183d036b63

SHA1
eb4629c5f1e714716cec9b2fe59d273b1e1b9e12

SHA256
f797ed6ebb161de39a58b7be7e429a0541d825f8a8ba26630e75470bf0851d4d

SHA512
94d2baaa6b539c9f96f821967cbfde9fadcb90acf4ad810921f6188911d3134143b761a194d69fc92d9f6a7aa0fa9bd2dbdebe1777785094c97012f662b9bb25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
261KB

MD5
f056bf8c6f7096142b00ada99edcff3b

SHA1
5a066b5da496f7d78fb6c58e427190231b1e8803

SHA256
8ee56a2952e17584b33f9c8f8392533ebaa7987685bf9eb38f86120635f3ca2a

SHA512
deed609708f341f65729dde902c26a621e083a82917bce7e43eabcbf4ece016d08f63e459e6c9466fbfc49fdfb569fc415bf450fd1778482933d6b3b85c9fd88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
261KB

MD5
4ce6cf5e6fba535827cc47bf4159e5bb

SHA1
aea93faea01e6c7e2a7043a75222ad0dda2b89e7

SHA256
a7fb1f7c1bd028b7a7ae8a50910e72e8be6f28d80a038db618befe6c1147e61d

SHA512
0e17965a3bc47a151e16662349e040ddee1fbe28385eee558bad6628c4d9d4b95e57143f978065ec8af428fc18a37cfd383ea9f079f15e2e6778b43372d69866

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
91KB

MD5
bfa6c797bcce3f59d1ee1f563279ead6

SHA1
b061b0be93364a052063c6580cb66a05584ee0d4

SHA256
a7e13399c275dd8e78a187cdab4dd9ee47bf3b81a991ae41a104e1709eb1108e

SHA512
7598c67100d35288371bceca8f9db66bc909bd3f4ce1209a175e382065fd519203fd1f3d46aed701535ff6471bad4f8cac6116bdc38f955b73f86a91a0902929

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57ed6d.TMP

Filesize
88KB

MD5
b31c173d0100f6dfe2e7513489c20b98

SHA1
fb47e1d8b391951f3104575b1cf70fb25a1a9ee2

SHA256
fea248da85d372ccd771648244237bf27a68fac25c0b77fb4f8df7fc268bf2ce

SHA512
285ef4e3505698dea8f77d2f7529cee97beab0bed81fa30201ac696d67825617d880834db34b7bfdc75be566b3a75b2585f65b2172ff4cad1709fe996ef2bcd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
449cf5bc7e6720408b828b45a0d16ce3

SHA1
9c1ceedcb3e32838451c9e5ea5721989243d337e

SHA256
a6a0a968d2923fdff3a828e32efc9cc74f240dfa723034f55df56ff278cb5bbf

SHA512
fe2b92f68d06018fd39792954f32fbaf6073229c615848a4c25ed1165a5d6843478ab81f17a0293537bd877aa3c30a54e770688365e709ec691c1ec0419931dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
123873a5aea1f133c9871cf1649fc3c2

SHA1
0a9f7cd066efc27818cd640d5c14dfefe5fff59b

SHA256
cc267df11265e28513b2bfa0de358b57e507f6a068ce93e3bc3c2713b15df77f

SHA512
6f39ae074bbdbbd905cf9a2173bb0f1da0c01be958867a5721545ba9e33621139dfa5f0e3eb9145427ef5ec12e3320d7188e075f8676d625c36245f2981a70ee

Download Submit
C:\Users\Admin\AppData\Roaming\a5157397bb5459c0.bin

Filesize
12KB

MD5
5f5e0f715118a3220b3659463ac36c7c

SHA1
d87d1b04a250963e7abdd6d6251217c1bdce4256

SHA256
acef7fe3f97cf8a0fea41682a7d0b8aa949c08896c28ef852bce7852ac992d72

SHA512
203470a21fdad50f0d4480770cb62ae55f1090a42f735b8dd4ad0f5576bb25691226839cdccabfeed474af6681597cd99126b6c8d6bf867e6319f2bf13b52630

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
6d342229fc3d1de4f5bac054ebeade5b

SHA1
17833d82de58ccec9f30b13f114e914275c0d24c

SHA256
a6dc8194421c5c259645dc97ebd6cc76b9f1829c226a4c36b854829dd377fbc2

SHA512
a1bd8d41119654922829cd52c8eb2ac2439a5dde87e28314ae454b88bdb24c03b3608588c34844ead40b0d06eae896ffc040c7f223885a36a704cc507abfc4e9

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7c3d9b7e8aa06d3204fdc197a3e308ef

SHA1
133a959f948218bace1b8444f32cbc04d85e89d7

SHA256
99fdc63b5f17a4ac4723f61af86669a4e35c78188ecc350e6ade25a2a0d95c80

SHA512
db668d65ddce60c27d22bd7afa147f17f99839181373185b7d5bea4c9b6204e3cf29373399f699191a6b5c70b56c6e6160511d0bcc1a9367613c15d5e45e4d66

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
d2b45fc230d09fc7f5b9f750ece2a984

SHA1
06b9dd4e02719670bc953508985bcb074d553e5a

SHA256
c11e46a02a17fcc38935871e8fd6c6f314fce51283f3c0932f25c8a580194317

SHA512
6e1b8e9b302524b376be34786fa9a3b651cc2cc09704acd0cb14a4cf219beb7de9d35d653ebd218534a783e4032db0ba18ee8da351e1b38aca4029087b121e92

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c9c2d6e2e9f87118f848691d27b702bc

SHA1
5e66098971e9cfcc8fcb39579c3559c61aed96df

SHA256
cae33609e44fbabee14bf873945f41b33c94a0bb665071bbb6116956448767ea

SHA512
f01f502a4102e0c6665c752540a555021e525d05d180a42010a4d19ee2692e313544fcda64929763ce40c2a0f1b3d8c5cb0d3756ad5f15c66f972f18296b4e84

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
69e4f4716ad8737927b20beda52137cf

SHA1
9872c58ab270f13a9d9c01add61cd1841668ca3c

SHA256
42349f53bfabf134549b2cab1d16d6ac2ecd3bad8de1958dc0eb8f209d69ff0e

SHA512
f68d3e772375bcfa098a124a4620229830bd98de9cd34c7104d62fe3bc35fa4b6d6fe89d4d47dfbb802c712ecfc4b99718bfd1d461c765f5ca92e75e72bd5030

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
cfc5a4822f99a8187868884902f9ef05

SHA1
9ad633a04715e6678ffe48d78f19caac872f8818

SHA256
121a1cb6ee397223bdf50dfaa2e6b4c4b437d0ef8c16505dd2ad5a297bab63a0

SHA512
7ce0e689aa5bab94d2dbdd4e5a08afd02c7531297d1ea7374c5ffd536cfff3186ea08ae03b55a5ed8be46c7ca428ff93f1c3eb9ec5209ae95d2e6110d363fbab

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
731cb536bb3afe2b76c84d5a6970e344

SHA1
39a0eadcb16d2716d7a4a235778f8a18e1418e14

SHA256
6dfe34123b127be7459f62ad553e4a0522699b23f78fb425e21ff8d76c77ad08

SHA512
67c04458043604191e18131b6048cfc1b45d3e925d04891d60c62bd4d6d7f33ef1254d17cf7ab1d3ed9ce06389a7459a9cd174c38a53c0c68830636bd91f5e77

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
3ce2c739c715082ea7642ba83f243abf

SHA1
9ab2dcc5eb55d8af724e048cb5f76a882ad09b07

SHA256
5566e03e5fc48b5226ef023dffea7c4122ab423ce33b401feed18465ed6bb912

SHA512
a87f7614182781eb1ef03a1b7bb9a31a60b0996339790dfbec9f090a627e4ea8bbd35a21d85163d0ffe1ed97a3418269f677c0239ad2e341cf20b3209a88dfc6

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9e949eeac9fa28fb32e98c2a6c058827

SHA1
37f67131f6c6c36f986f594942152ce506973002

SHA256
c560ca15628c60aa1807117e807ac3e5d63fafc6eebf660d0e2c7485ef2b12d9

SHA512
b60f2755d8342ad5e87cbc4d7409db48674550947da7b4135814c3509d77da27a9fbc66752980f187f3db0f8f0d902518593338896e87926f5ed0702b4d9c49e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b00427b227866ab8851eca4dff477a22

SHA1
58ae097bf04de55660d42b6b81388e0ada931163

SHA256
c31e6adea6f987574d1a6d552ce58a4a76c01551cd57bc1b9a4637e91ac3e316

SHA512
1875d76f4c74efb4c064313e64b5812e61e80d0c319349afd7fed3f82b8ace87f97f9c17f81d1fad155fd114f6236969efb31ffc49c644170c2e49eab2e0b985

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
018dfb59355f52b1c676b98a6a6b6443

SHA1
336a42356ebfbe6c1dac06c7961ee26005b18849

SHA256
309fd20e33f3fac19224f3594c886c1aa4d78811c5a3b722a29f277df65d1dc3

SHA512
59e809c5eaa9c34dd6c87bc5b691b7fa20a135a08f998a9d4405231c37bf9f9c6e035997ec18227e4161dd772a243f641da236c5dd96022c467300d4d0c6b7fa

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
5e0f619ade06809db50fe0a25b15acfa

SHA1
247356a9f295e86542f9af40f5f94cc7a738abb6

SHA256
da6dcc5b0968f1d7231d35eae00040362927c44b76f77e31d62abb663d29f3f1

SHA512
0bf61b957e2af921c9d4187675e21f97f48c707f4c828a826894068a053437b2a6a61714cfa5f7b9c0f17ea9a4ffc2ea518544f42e45960d8a66dcc0f21cfac9

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
4ccce86543ed76a52dae72611f5bfd1e

SHA1
d87e6c3c39e9679dbdfdc5dfb314f09949a7c25a

SHA256
2ebca25640d698d8b212257239a5b25c1609f4035606bb199745fa43db36c506

SHA512
f9d21a44d2b9f52f931c0d2b649db75acb5dc46d757b5954270fcf5ebfb43c4bd78c18c55ef9935d31c64fee48e36c5bce394bf2d94ad286cbb6e7023381e143

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
08983a13430d867081fb29fb2795e592

SHA1
efdf6776ce9dfb495b8ffb4aea84eac7474d912e

SHA256
a3968f39798c3c13508422f8e3a7c753da5d834e8137fc5ab02ee00506e6bf87

SHA512
43d3372cec072bd42939fd858f022a089199757765c5bcb8035ba3962be84f9cbfce0a654cd7658e03f518ee880f0102db2f40c019838d8a1a84ca46b6e5241c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
b45f4f8a4392bb1893b1e4dea076739b

SHA1
6987c2b0c601eed4d9de71e24c4074de8d409154

SHA256
bd7f1dc1b36413f06d7552ebccacab5a26e9220ba60012df4e733b3df8fdd6ac

SHA512
62d9e8055ecddaa9eff5145533cdb00edaf6717fc57b47da0851c5d4d24abc112e94c63979e293e077014069cb6387033b8e08c2214493e85f2bb63bdd48ac73

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e83b741e37cca9b64854787984b19e58

SHA1
ad1e7930d4950148d3e7eeae7c4600aec8473c1d

SHA256
e220ce2c2afbdebadce55eebbc5fb7804934eaaa5865f9c7f82995334c6e661e

SHA512
0b74d0663a42e91f8a8e74c7f38e6a2e27abadba2dac9447ebc087a09788e9d70883bc70d75672e7de137cafa7f74f77340948a5c4439a22ff3d26a578a5b728

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
590a5b5cf5e0e746ec3bebc52950c352

SHA1
1ef9a21250b7a0ac266488811d59732670d69868

SHA256
a8fb921d3dd84e4ad46cea511a4c512e0bbc21d9836a283758f3375adb319e00

SHA512
115ff28b8831623ba04a024d3ef98105a0ebf2ba485cfacf92f62aae0d7f8bc82949a8f1131e2971aee7055d8271279dae4934bc13abd8b187e2320910d888ca

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
554d1d92cf243b5d911de4c11eb77d9c

SHA1
0a4d1fc37b4ff3762273e3e9093be31460f359f1

SHA256
84c860f25271058f3e7a882f8323f8cc667b74704c4149aa69fdc54d52ac94b8

SHA512
d24a60fde484c8bfe7029b99d55bb90298038cbc2769445e94898642ac14cf4a28f5ed70fedde1962ef6186436d5a8e847f9a2056993467097fef308cfd67240

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
257036a0fb3d2768f2801e5d32b9ce30

SHA1
0634d123cc54fe889f179f59136e47357ff7f7d3

SHA256
fe6257986f35787b1ef9628e36a811d3484fff46899b61381086da82e363c462

SHA512
381a451ab3b3c97eb3546554811f0784e5341a7f668b9ceb41dc077d34ebd26fbb29b2e0ab21b2a52b8637b3998943c14ce60380b8525378d37ccdceb0f0e5a1

Download Submit
\??\pipe\crashpad_656_OOFFNDCXOEVRDTEC

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/60-84-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/60-74-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/60-80-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/60-86-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1480-221-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1628-35-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1628-41-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1628-45-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1732-235-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1848-536-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1848-243-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1884-241-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/1884-535-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/2044-229-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2436-218-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/2464-217-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2472-91-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2472-97-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2472-215-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2632-220-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2632-500-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2680-313-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2680-55-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2680-49-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2680-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2720-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2720-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2720-534-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2720-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3056-234-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3164-154-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3312-18-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/3312-445-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3312-21-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3312-12-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/3628-239-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3644-9-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/3644-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3644-0-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/3644-31-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3644-22-0x00000000020D0000-0x0000000002130000-memory.dmp

Filesize
384KB

Download
memory/3716-450-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3716-577-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/4036-216-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4036-104-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4080-28-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4080-510-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4116-71-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4116-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4792-223-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4860-214-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/5108-240-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5544-494-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5544-435-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5860-462-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5860-485-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5924-472-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5924-582-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download