30e26cd16f6b9fada06914c774e78d4a7d4ec883a3678414403493c3c435464f

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 22:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
Size

5.5MB
MD5

e403a70bb6ac3a590c08b5d7daa4dd87
SHA1

31139ec83e76049f7fb38e133215c63aad1c2eea
SHA256

30e26cd16f6b9fada06914c774e78d4a7d4ec883a3678414403493c3c435464f
SHA512

df8bb439f42fe2fc70174c24e10b2a775def57a835369368a9017a886f8224e97602c006162ca5c7a08803b1090913d2c0187f2c1e473380cd5c266a5fbaafe8
SSDEEP

49152:iEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfw:oAI5pAdVJn9tbnR1VgBVmXi6qrZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
3100	alg.exe
876	DiagnosticsHub.StandardCollector.Service.exe
2088	fxssvc.exe
1800	elevation_service.exe
2964	elevation_service.exe
4044	maintenanceservice.exe
3408	msdtc.exe
2336	OSE.EXE
3036	PerceptionSimulationService.exe
1920	perfhost.exe
4456	locator.exe
2464	SensorDataService.exe
4176	snmptrap.exe
2832	spectrum.exe
2324	ssh-agent.exe
4576	TieringEngineService.exe
1176	AgentService.exe
4068	vds.exe
2404	vssvc.exe
3856	wbengine.exe
2784	WmiApSrv.exe
5152	SearchIndexer.exe
5564	chrmstp.exe
6180	chrmstp.exe
6312	chrmstp.exe
6392	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exemsdtc.exealg.exe2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe

description	ioc	process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\238561b6c3a5208d.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe

Drops file in Windows directory 2 IoCs

Processes:

msdtc.exe2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a9bd8d539bacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001fedda529bacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000d0e5e539bacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cffb4a539bacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000064a59539bacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000815e4d539bacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a92ab7529bacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

2500 chrome.exe
2500 chrome.exe
2040 chrome.exe
2040 chrome.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

2500 chrome.exe
2500 chrome.exe
2500 chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

pid	process
2500	chrome.exe
2500	chrome.exe
2040	chrome.exe
2040	chrome.exe

pid	process
652
652

pid	process
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1924	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
Token: SeTakeOwnershipPrivilege	1900	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
Token: SeAuditPrivilege	2088	fxssvc.exe
Token: SeRestorePrivilege	4576	TieringEngineService.exe
Token: SeManageVolumePrivilege	4576	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1176	AgentService.exe
Token: SeBackupPrivilege	2404	vssvc.exe
Token: SeRestorePrivilege	2404	vssvc.exe
Token: SeAuditPrivilege	2404	vssvc.exe
Token: SeBackupPrivilege	3856	wbengine.exe
Token: SeRestorePrivilege	3856	wbengine.exe
Token: SeSecurityPrivilege	3856	wbengine.exe
Token: 33	5152	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5152	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5152	SearchIndexer.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

2500 chrome.exe
2500 chrome.exe
2500 chrome.exe
6312 chrmstp.exe

pid	process
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
6312	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exechrome.exe

description	pid	process	target process
PID 1924 wrote to memory of 1900	1924	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
PID 1924 wrote to memory of 1900	1924	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
PID 1924 wrote to memory of 2500	1924	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe	chrome.exe
PID 1924 wrote to memory of 2500	1924	2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe	chrome.exe
PID 2500 wrote to memory of 4028	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 4028	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5728	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5728	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5728	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5728	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5728	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5728	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5728	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5728	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5728	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5728	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5728	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5728	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5728	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5728	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5728	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5728	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5728	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5728	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5728	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5728	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5728	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5728	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5728	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5728	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5728	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5728	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5728	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5728	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5728	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5728	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5728	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5812	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5812	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5828	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5828	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5828	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5828	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5828	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5828	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5828	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5828	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5828	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5828	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5828	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5828	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5828	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5828	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5828	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5828	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5828	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5828	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5828	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5828	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5828	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5828	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5828	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5828	2500	chrome.exe	chrome.exe
PID 2500 wrote to memory of 5828	2500	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924

C:\Users\Admin\AppData\Local\Temp\2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_e403a70bb6ac3a590c08b5d7daa4dd87_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa143ab58,0x7fffa143ab68,0x7fffa143ab78
3⤵
PID:4028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1920,i,16539667327874386174,9249568390110948703,131072 /prefetch:2
3⤵
PID:5728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1920,i,16539667327874386174,9249568390110948703,131072 /prefetch:8
3⤵
PID:5812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2100 --field-trial-handle=1920,i,16539667327874386174,9249568390110948703,131072 /prefetch:8
3⤵
PID:5828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1920,i,16539667327874386174,9249568390110948703,131072 /prefetch:1
3⤵
PID:6016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1920,i,16539667327874386174,9249568390110948703,131072 /prefetch:1
3⤵
PID:5464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4204 --field-trial-handle=1920,i,16539667327874386174,9249568390110948703,131072 /prefetch:1
3⤵
PID:2572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4444 --field-trial-handle=1920,i,16539667327874386174,9249568390110948703,131072 /prefetch:8
3⤵
PID:5236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4588 --field-trial-handle=1920,i,16539667327874386174,9249568390110948703,131072 /prefetch:8
3⤵
PID:5640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4624 --field-trial-handle=1920,i,16539667327874386174,9249568390110948703,131072 /prefetch:8
3⤵
PID:3092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4748 --field-trial-handle=1920,i,16539667327874386174,9249568390110948703,131072 /prefetch:8
3⤵
PID:5652

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5564

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:6180

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:6312

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:6392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 --field-trial-handle=1920,i,16539667327874386174,9249568390110948703,131072 /prefetch:8
3⤵
PID:6304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 --field-trial-handle=1920,i,16539667327874386174,9249568390110948703,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2040

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3100

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:876

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2828

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1800

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2964

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4044

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3408

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2336

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3036

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1920

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4456

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2464

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4176

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2832

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1504

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4068

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3856

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2784

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5152

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5280

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=4592 /prefetch:8
1⤵
PID:6588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
19daa6a27fc9c9b98e707b94aae7725c

SHA1
ce0e8d18026da205516e8ce6bf9c7767fcb7f2ab

SHA256
9d0ae761c23dadf01f0822d4f4510f441c028b47aa5cad1e9282b48936bf57a6

SHA512
cbb3b487fac59fcda258363588a75718caea777d7e7c554807f0703ba2fe7b20526e2d043a0b73547bb1e078da561e9c8737805db86ad88290752e328f45279b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
c551445761f35368bfcb64a9bd1ad5ff

SHA1
d569f75fb789f9fbebaa1e7ff7085fa5ead3e35b

SHA256
22c112708728f9f0bb650685a19e3e4dd26d292b64dc8d8f61a271ea37f7143c

SHA512
7813b2679efbe63e76a6aae353fa96ba1f3591b6ad71c8d7eccd36f99b12253517bf03e848db18638dec8953d25a5ea3acff9457f2893b8a5f6123efb9c52243

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
63003accc92653e8e8cd774e272699f2

SHA1
38990116678d539f104a57bee5235e22179b03be

SHA256
0266aa1b9b98e2487922a5b21b67e10fa4b28050c4d28b815e38736ee9631533

SHA512
0c05f4eb58b4634e5e62d41955e5e96ce379ce954813f6e946dc4731e8e660e7b42be565a17b5ec5c73ccb926345a934fb1fb6d5086e25842e5a46fbbdd44674

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
4bd4e9b81caca329ad26200f2c83ee9b

SHA1
ae0f1adbd58b13b4b0e3fa38dc668facac48bedd

SHA256
23e198d3482f16f880d374602709077e55f3d9b61dabff779c5803f07ddc084f

SHA512
26bddcd37506735b4624cb178b24f701ec2c86173c25c150f12e3bd1d1566aeeaf43cdbced5fb91ce3a85e1bae5d5b7f9c579527ad53e9f770d844f71bd171b2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
2bb10d2aa1e85a0adefd6a9fa66e8a59

SHA1
81e3c652bf331df00e3f3aff52194cd5d3fbca06

SHA256
81447bb8c257361ad37df92fdf37bbad8f84f4889680c23b5b7b74c76e3d8053

SHA512
c5a23cbe2e46cd92767270783f577dca33b209e8c3aba50be2287c54e995383da8faabf520608827d4f0ac581778684a9c556d3539fec30264b82b08ebafacf7

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\20240522225628.pma

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
e646991f9b7863013f4543e5deea2d49

SHA1
7d3ab1c249b15c5bc5761baef819fa96b043539a

SHA256
0cc277125b5bd55a7c42e32f351b5bce3ca6003f28bc0646db5bc6b9b5135c07

SHA512
8b7b264f086ee2d1c1ec1199307d6511ce964890e84312a1c12c21a0a1fac24d6bf005a2ded820ecae3b51b58229a8ce724e98e40b03e1f93d3914948025a76f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\3c9cc0bd-7f30-4d3d-9774-953c7b2a0dae.tmp

Filesize
356B

MD5
b8617044a53bfd38113dc1234e8fb257

SHA1
53714ac7ada5aece84a2aa007c0dcfdcfe01f0c4

SHA256
ea3a511bcb769ce00a985b7787085d0206283e20e38a52750ff5401509cfd2a7

SHA512
2160cb04d35814720d4df018e770313487ff87167fa4fb59a18e391aeeddbe7d9abf00a3dec022f05a5a9f6faee4f6858df3618deb375f975e133d43e352a718

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2b1aef134b6f5377008b1f74fbc3225d

SHA1
72fe16477248d561ef74e6c7223ee67f24bf624a

SHA256
3bdae941d88d0030ee041d6105e904c18ed977b2770b3e8dceb813cd8c6b0088

SHA512
c96356ca6fc9df2d50f5e9a57dd8faed4547f4b8ac896b12cb27f7f952e8545e32d8501b8040550e805eeb1d1800416b118f4333cd48d72b2ac304c7cddd4456

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
57a5d19a2102cfb269fc9c9bfb603a9a

SHA1
b7bdc85e875e0cedabddba2def4e7698eae216fa

SHA256
a0ba0b5d9c7e4300415c2a0d7cf1df0f9a899a16b7c85c8c8dca3dcff10fd908

SHA512
3cb3c85b175599e29b8e6789232611383604e46534865f3c200b3e777da5d855c3cacdcfbd7a5607c2230216a10b52cef89bb16a928f96998824909317c61e8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe581289.TMP

Filesize
2KB

MD5
c4d12c24a85b7e1aaf85cad983fe7610

SHA1
00bcb6e962cbc5a3d88689ec2f8c15feda6ff7fb

SHA256
6568b506f3cb4367abf414e66e1e93a4d4e40339dd3a2a1d5ded1f1907484337

SHA512
0d45cd5f36424147b7a67d4f154539d9ddde285cb363a139c5922814e6073cf731d61902a7eb84e9ac6547bcd52e65b023a2f97636072db478ccd04495a59aa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
20ff83cd41de7b28792d01f545186b17

SHA1
bb9833c2d0cd8bc7ca72698a714ac54cacd0e253

SHA256
ad44179b2ad2d2edcd48e45a21603084b05787d97af2248f0c48ef628886cfb0

SHA512
445c9164c7cc96c7bfa509f44e59e7feb144a15360a4ed819bcb781b3f6e98f3f54d69a7dfe3b352688e19b59f8045506fc887716356397bda3b9e0d6ac1442c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
37f71742f9adb4c6dad70a5452049cee

SHA1
4bf576b66b1377143740b6af6174e00770e346a6

SHA256
814edbd77e90225e65d2f6cb02e5b544e26b21f94b26f8af103301799de1f66b

SHA512
ab2688def1e47de5e2504f14c73c7911b5b048d786a8229f56bedc082161dd73e3adf3366b2fb35bd875f8951f5f2d555231cf6de18daade15e06b14ee23c3f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
ccc4a299b4a45346e9cd4e67fed2572f

SHA1
741b270fec851261264db7627c15a9f06c1c60d3

SHA256
4c1daa1ac2b72ddaa72688250f8b9a88d45e07342319150a38e9035ea6197710

SHA512
35cfe7d4abd274c3bc604926b0969331f717a484e27e764232fac6f443096a18fa13a9ff9d1b4c462d65cf875a7fc3859f1e5ea0430dbeb0ceee28a8e8121b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
8d1efd76a9705c2bb348b9025288f2bb

SHA1
8b3a46bc79d6663504d3f8e0bfd09a04385ffde0

SHA256
c660d9beac09d7d5bb1a5b93c1b32950ea958d5881e627072468325b2ab8e416

SHA512
89f9ccec9e39d5fc3b0d6f1b6647068c064e1dbd81f2fb774c1f82268ebb09990476f201e41c709635926b30bb6eda193ae40fb68983dbd457809a68f49a97c9

Download Submit
C:\Users\Admin\AppData\Roaming\238561b6c3a5208d.bin

Filesize
12KB

MD5
43a582594de685d92f1fbfa2656a951b

SHA1
ee6aaefa200a804c46bb9b1818c4b1d2f5d17d2b

SHA256
7ce08b6fd86f93b3ec0aa0af4d4fbf548dd78febb53a2fe7c4d133db265483dd

SHA512
97a01742e16fcd5224c8f79c4683d0cd87ff47ff47598ac39261db4bb738df614bdbbee953d1be1254017f9af11f249ca1c2d459c69eeadc67080e8990f79bd4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
7a3c506adbb75259a25618cc4b1c0c2c

SHA1
4243cc8a91c4fd50f4ebbd56cca8356bcc946069

SHA256
09470a74421d997bd0bcb6083885dcaab54e46d53d198899ea58f4f9998de598

SHA512
511724ea59f4d6867279dd25b68f54ccd01025464acbbb7745931a2ee4244cd718b4089c6577dc0805346e35985364a88a494b55b85af4e8027baff8866008c1

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
31252b2dd1819bfc9358934b97a13db6

SHA1
14d286a1ba0a123ccebbb9317abda4b6dc796b6e

SHA256
59c8a0dfecf71e63fa50edced9047c29f3b6fa9df0a5a497f6ae8914724f2523

SHA512
2708d7f2a98e379b61fbc4dc0bf719ef4d855bab2d6904a2f09f5a2010ed53834200ff994d4b60338d7e2dc331e71cef4f4bc42407304d06aef101dff85c57cb

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
fbd25bffff0f586518ecb12fd0ab1c23

SHA1
6a5c6914cb778d4778cc1135559fbed9620a44c3

SHA256
1013f8320711236d88cef44df809379adc24d14a9bf8f7d8da62c2c496323911

SHA512
0be21789b4b3eb814b79cf62be7c1df5e75e4825b7935bad13662de0d9d0b4227fb438353ebe99ca4b69f6fe9dae419929a9f1473ad005d9770f7cf25f1e17a3

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
74b04026bf8cf80dfbba87daecaa8575

SHA1
a92e8f5d9e648d4bd83e22a4e6901756abafc7b9

SHA256
2d5e4b0c1073e5d1edcbcd443285ddef49b827be49da43a5f477a2d8d214a22a

SHA512
4840bb8b8af88ff03f20cf42246c688e312355638a9f40d523dfaf5568782f4322efbebe0be48425ffb41a22db3a6c76149971ab2a9d28f874843263eb37f4d0

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
38c2d3b9d2de1411c24e5b51ec15f55a

SHA1
d37de550b3d8c7337efe7f2a5239ed71260b5941

SHA256
eef5a6fc3a9e7640db3492329aa0bb83aa02e8813f3ed77f5f2d3fb6f2b309bb

SHA512
8a9d4871b0b3ca43d966ff84f4fc04240770602a983c63090772a0028583f3cdac5f7a7e4ecebf6d5b6b226b096040ec1c76eb9c9da4cad0c32a7132bfda3c72

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
dff9be07197a79f102a5f0720f14efb6

SHA1
e59c3fa2df663c09e4d68c11dcb63c562c698896

SHA256
8b45f05b6e6508510798ad162387041bb8f2faaef4d5388ba343c46e5eb6bbdd

SHA512
771e07c36f60a71d0b6cdfc4fc82aac4680083393bde85a8c8982c953eb34224db18b156ab54c59aedf358e13854560596bc6f3b7d42fb427cc441a13c0a6ff0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
7ec21a726430feffbbbd7599bd2b5b38

SHA1
a1255c6a5b2b2c0a6b9786779cd324fe59277e53

SHA256
d3ca3d8670e979368747f6d15124c755db4e5a7d7310de977eb85575d824ea4b

SHA512
fd4b2f816ffb01b03afbfe72c1fb07eb16845819df4c9d260e33043b955cd5a8535687c74c978db6337588c9003c37ac00c79a977a047cef56813f66d687a4d2

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
2907110fb266852d282f0e4e3637d64d

SHA1
ddd24d10efe20de3fd71a89fc0aa48ffc40c199d

SHA256
de9b2d4c49d54bff2f91f76b321d367690f37e59695cb180cc0a57a3441d3100

SHA512
ca636ee8c0af970e78595b48b977d148bd768fd7aa76556bde7bee526a88674e87a04eaf8cb1dd5b5168e8f6de456ef900b80ce09728b0e2b3522bf9c24d358b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b78bcfc7b1900272bf44c3f60d54b82d

SHA1
aa74272200099fd3adfa8fc2d882d2d61fe5440c

SHA256
d0899feb86a509dab9a3ab4cbebacbe19f7b605d50b7dfb25798a377bbf11b6c

SHA512
931d2a506016e15d0ca11aab14101383c3e3ea635696385b1eeb0300bc1d72735ed75c192908341904a671668228e6c383eb1af7f0c4657a235f3a3ced6224bd

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ace9f07ab5da96eed2de90474fafd6bd

SHA1
7785a3a1aa4f9d83d49330ca38c0e54bf3955986

SHA256
9cde100710bf6c4fb10ca6512b0ba1425291d860aa9a7ff097057edc70cce4cd

SHA512
8422f476e9f1c999b45567b8f2194a5308939e7f2d41c809df827ef70ff43860b5890e8d8e5a11e594dc51fb068bc9e7c1c5726022bd6ea89ff628b212a03068

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
178301de1fac3fcd03250cb2e5c6dd28

SHA1
190657bbce5b302f33233e4e1883545aef940e21

SHA256
b47c1781fec4a8586d5033b4a809547c012171090a304e36d74f434998d04986

SHA512
d6b57247f3a069fa35918d17b7d7435e01c81e93fbe907e713edd73b7f574f175a206ebc108c95d90c5a684759c27507dbb43425208a50e357c769096e3652ef

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3535acbb3d639bb741e81dd1a224b027

SHA1
b2f448970bcf85e0f0849600840c232ebe91285a

SHA256
f2cf8621c41f806060e7fa26e29802e99a57fb714914a1344336de1d6b95b945

SHA512
39174a1caf13cbb9d21a97af324df4a35ec62ba7c1919f3eb62fce5d503c9920a172b10f3666e4bb70cd198e9c27f805f8c2ce1aab39754087bf45fdabbbf79d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
342268962c227f5b72b050d9517a0c9d

SHA1
790915221b63abadc8f920651dd8ccac54ce10b5

SHA256
8f38d6a8c5c57c2276725a468381e19d65569b89506adb76c700ccb89ada73b4

SHA512
e6dc4f235bf849e6e84c6255db77327b02fd3cca0ccd47b6f79775fb17290eb4c18ac0b221016bb5e1f74a0dc9c1600d91395ca2f288c23df23f702c4fe54d16

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
8bc90f102096a78ac003b825852d6152

SHA1
8b0c928bf1a98a30c1aa01e23c5c24dbd7b7d7d3

SHA256
d82dc044d1d3b1e826008c34bc50b9515a70cf7a9bed27ab0ee6f2313a4c9ae3

SHA512
8339e51f4bd9f32de6487ced0d08470ef327cf917aba0f4847dd3e1532b19d2084d6d6c66d3234e0dc808ff7424d7d2678198185f946a0dbc22c88560ee5588e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
f96993fdf8867b3588080163811752bf

SHA1
64aa14949b7948a44597777cba7f9342a0377048

SHA256
197d8d3233cbe2d43e71a7181b46adabecb9e88162964bc0bc91065974f66ed2

SHA512
4a5b562a41b89a85ac16a3ced1c6de113997d17a78eb339850626294f9870213a6b0a2c25eb84a00d131bbe9296898fe1c9a0e3a936409634610e09616d54d0f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7219aac00919a9afd8b427bb2f1cac26

SHA1
5244b0fc9f2ee1dbf34f303c7e29a824d8b17acb

SHA256
11374b272d9a42b3a5158d621de3d1f49f3700b2781df68a141b720ce8357b79

SHA512
86d97bbf507e0e11cbbde810927ccf32614a668e5a0ce6ca21c1f1d392beb8e6b1fb33fa77c91817d1ea7f82f9847d39b0062528cdc0885877a916851195dda0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
bef4417a87932d901c38a3166f07da0e

SHA1
0fdae3389923c81a2e261526e73c79671322dec2

SHA256
a9ce1f84eb267751e8d5bac8bae3a7501dfeaf06cc1e2f11c072dadc6d0c5413

SHA512
01d670f6e7f72685d6172856d18ce8cfb351c4dc2510a393e3ec4d61c33c92b43bfb499836546b19137cf4acaba7c334ebadc73e4f5f15fa07cc028b80d44146

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
4a91537580ff88cf65bee07f4749da0a

SHA1
ccc269c7b792bf3d1b048fe62a42d09d5ae12794

SHA256
cf74470ab2dc9ea7e337f0106b27ac946ee5be6ee9221022704854d18dbd4446

SHA512
337d504b0c3efb64a64472fc2b023a64ac283ebc008269421b9eb8f10e09756052cceb7171494b17c7b61f7797a6f589ebde11406ed9baeeaa618f387bb8ca7f

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
de12892063f81f60b11c0497ec332fa7

SHA1
ccfa0530f55d277c3fe6d75260088ae08d5b7616

SHA256
afd8ccad757251c38eecbb67fc9f41af5aecfec62b521b229c5b17e17ba05eae

SHA512
441e809f431b7d1715efa1a6eeda910ba6945b9529a6330cf964a1d8f7233e97893e6eac6758abbeca4c61d315829371fa2e2fa02a5b838d1fb79e7a43b6d7ca

Download Submit
\??\pipe\crashpad_2500_MHCHFGODYYZXBRQV

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/876-43-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/876-625-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/876-51-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/876-45-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1176-222-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1800-75-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1800-71-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/1800-440-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1800-65-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/1900-25-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1900-549-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1900-17-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1900-11-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1920-328-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1924-20-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1924-10-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1924-6-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1924-26-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1924-0-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2088-73-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2088-87-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2088-61-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2088-90-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2088-55-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2324-342-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2336-326-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2404-348-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2464-604-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2464-335-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2784-352-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2784-636-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2832-338-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2964-86-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/2964-84-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2964-635-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/2964-78-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3036-327-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3100-41-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/3100-619-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3100-38-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3100-31-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/3408-325-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3856-350-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4044-104-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4044-92-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/4068-347-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4176-337-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4456-333-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4576-345-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/5152-354-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5152-637-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5564-535-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5564-599-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6180-551-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6180-640-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6312-564-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6312-586-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6392-574-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6392-705-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download