d8ff55b56c5b2efd3ab9831035ea86a754eacaa349981de5f83e25fc5646cb49

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
Size

5.5MB
MD5

f0b8ab5964cb0ac7af3195fdd3a5e8c9
SHA1

3cd41989c5fceb59dc5c7e971d54eb4bd801d5ce
SHA256

d8ff55b56c5b2efd3ab9831035ea86a754eacaa349981de5f83e25fc5646cb49
SHA512

eec88b10069c005bac29ad724cb9b70c27913fce143c4bcfa07b8614acc0c61b138a285a2585dfa6de1c3ebb92429e90fc50e9894da999ae1c79ddfe46bce872
SSDEEP

49152:5EFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfW:tAI5pAdVJn9tbnR1VgBVm51Ms

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
3232	alg.exe
4748	DiagnosticsHub.StandardCollector.Service.exe
2068	fxssvc.exe
1592	elevation_service.exe
3372	elevation_service.exe
1932	maintenanceservice.exe
2460	msdtc.exe
3020	OSE.EXE
840	PerceptionSimulationService.exe
3300	perfhost.exe
1116	locator.exe
3112	SensorDataService.exe
2816	snmptrap.exe
916	spectrum.exe
4852	ssh-agent.exe
2204	TieringEngineService.exe
4512	AgentService.exe
1652	vds.exe
4208	vssvc.exe
3632	wbengine.exe
3280	WmiApSrv.exe
3684	SearchIndexer.exe
5588	chrmstp.exe
5728	chrmstp.exe
2336	chrmstp.exe
3204	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

alg.exe2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exemsdtc.exe2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b5bf62db4b1389a.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exechrome.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a11f44759bacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b4dfa5759bacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000047f84759bacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000facad0759bacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a5020a769bacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000050e629759bacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008cb3b27c9bacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d809267c9bacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133608922600973870"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

880 chrome.exe
880 chrome.exe
700 chrome.exe
700 chrome.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

880 chrome.exe
880 chrome.exe
880 chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

pid	process
880	chrome.exe
880	chrome.exe
700	chrome.exe
700	chrome.exe

pid	process
656
656

pid	process
880	chrome.exe
880	chrome.exe
880	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exechrome.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	224	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
Token: SeTakeOwnershipPrivilege	4344	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
Token: SeAuditPrivilege	2068	fxssvc.exe
Token: SeRestorePrivilege	2204	TieringEngineService.exe
Token: SeManageVolumePrivilege	2204	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4512	AgentService.exe
Token: SeShutdownPrivilege	880	chrome.exe
Token: SeCreatePagefilePrivilege	880	chrome.exe
Token: SeBackupPrivilege	4208	vssvc.exe
Token: SeRestorePrivilege	4208	vssvc.exe
Token: SeAuditPrivilege	4208	vssvc.exe
Token: SeBackupPrivilege	3632	wbengine.exe
Token: SeRestorePrivilege	3632	wbengine.exe
Token: SeSecurityPrivilege	3632	wbengine.exe
Token: SeShutdownPrivilege	880	chrome.exe
Token: SeCreatePagefilePrivilege	880	chrome.exe
Token: 33	3684	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3684	SearchIndexer.exe
Token: SeShutdownPrivilege	880	chrome.exe
Token: SeCreatePagefilePrivilege	880	chrome.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3684	SearchIndexer.exe
Token: SeShutdownPrivilege	880	chrome.exe
Token: SeCreatePagefilePrivilege	880	chrome.exe
Token: SeShutdownPrivilege	880	chrome.exe
Token: SeCreatePagefilePrivilege	880	chrome.exe
Token: SeShutdownPrivilege	880	chrome.exe
Token: SeCreatePagefilePrivilege	880	chrome.exe
Token: SeShutdownPrivilege	880	chrome.exe
Token: SeCreatePagefilePrivilege	880	chrome.exe
Token: SeShutdownPrivilege	880	chrome.exe
Token: SeCreatePagefilePrivilege	880	chrome.exe
Token: SeShutdownPrivilege	880	chrome.exe
Token: SeCreatePagefilePrivilege	880	chrome.exe
Token: SeShutdownPrivilege	880	chrome.exe
Token: SeCreatePagefilePrivilege	880	chrome.exe
Token: SeShutdownPrivilege	880	chrome.exe
Token: SeCreatePagefilePrivilege	880	chrome.exe
Token: SeShutdownPrivilege	880	chrome.exe
Token: SeCreatePagefilePrivilege	880	chrome.exe
Token: SeShutdownPrivilege	880	chrome.exe
Token: SeCreatePagefilePrivilege	880	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

880 chrome.exe
880 chrome.exe
880 chrome.exe
2336 chrmstp.exe

pid	process
880	chrome.exe
880	chrome.exe
880	chrome.exe
2336	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exechrome.exe

description	pid	process	target process
PID 224 wrote to memory of 4344	224	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
PID 224 wrote to memory of 4344	224	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
PID 224 wrote to memory of 880	224	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe	chrome.exe
PID 224 wrote to memory of 880	224	2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe	chrome.exe
PID 880 wrote to memory of 4476	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 4476	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 2440	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 2440	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 2440	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 2440	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 2440	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 2440	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 2440	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 2440	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 2440	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 2440	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 2440	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 2440	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 2440	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 2440	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 2440	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 2440	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 2440	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 2440	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 2440	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 2440	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 2440	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 2440	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 2440	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 2440	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 2440	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 2440	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 2440	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 2440	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 2440	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 2440	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 2440	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 4968	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 4968	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 4628	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 4628	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 4628	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 4628	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 4628	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 4628	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 4628	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 4628	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 4628	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 4628	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 4628	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 4628	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 4628	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 4628	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 4628	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 4628	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 4628	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 4628	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 4628	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 4628	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 4628	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 4628	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 4628	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 4628	880	chrome.exe	chrome.exe
PID 880 wrote to memory of 4628	880	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:224

C:\Users\Admin\AppData\Local\Temp\2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-22_f0b8ab5964cb0ac7af3195fdd3a5e8c9_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff85cd1ab58,0x7ff85cd1ab68,0x7ff85cd1ab78
3⤵
PID:4476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1888,i,10425792400123649957,15049787952822581087,131072 /prefetch:2
3⤵
PID:2440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1888,i,10425792400123649957,15049787952822581087,131072 /prefetch:8
3⤵
PID:4968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2144 --field-trial-handle=1888,i,10425792400123649957,15049787952822581087,131072 /prefetch:8
3⤵
PID:4628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1888,i,10425792400123649957,15049787952822581087,131072 /prefetch:1
3⤵
PID:3800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1888,i,10425792400123649957,15049787952822581087,131072 /prefetch:1
3⤵
PID:2488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4272 --field-trial-handle=1888,i,10425792400123649957,15049787952822581087,131072 /prefetch:1
3⤵
PID:5480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4176 --field-trial-handle=1888,i,10425792400123649957,15049787952822581087,131072 /prefetch:8
3⤵
PID:5724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4424 --field-trial-handle=1888,i,10425792400123649957,15049787952822581087,131072 /prefetch:8
3⤵
PID:5732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4400 --field-trial-handle=1888,i,10425792400123649957,15049787952822581087,131072 /prefetch:8
3⤵
PID:3656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4892 --field-trial-handle=1888,i,10425792400123649957,15049787952822581087,131072 /prefetch:8
3⤵
PID:5488

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5588

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5728

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2336

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:3204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 --field-trial-handle=1888,i,10425792400123649957,15049787952822581087,131072 /prefetch:8
3⤵
PID:5800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1808 --field-trial-handle=1888,i,10425792400123649957,15049787952822581087,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:700

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3232

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2360

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1592

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3372

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1932

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2460

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3020

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:840

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3300

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1116

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3112

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2816

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:916

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5080

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1652

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4208

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3280

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3684

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:6072

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:5732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
3475e69ecb26f47df2a702a70c55d09c

SHA1
2d71ebd4d057fdcb1e5dcd8ea14ec41215e1656b

SHA256
15ccae70a43a2f3de5dfda88437edd386c2cfa6a0c7358280fcd3db87cfb9258

SHA512
c6f282aaf42bdcc798cfbce1b7949c1aa35bbdb514cf8ba24db802f5fd2dcc2f18ac0f0fab64e773cf817563c4968754b75b811e5c51087b2ddf291680bb1cb4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
7e2a39d4e121eebf16e77019ff39408f

SHA1
a0e1788938958e2a05e48b854021e431c26c8277

SHA256
8bf038261bdf97b79ff4f33a6c2a994603ffd9e7ed717f62ebb9d7ad4a205277

SHA512
0f16ee5b327cb76c88a21e4ab711f94381cbcb625a8f9b69e5c36e2e8673221e730772444b5689829d2fba7a373a3314ddd5454a3576e9d92a5764c0a8dad9e7

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
987a37e96935a1c723dab05ee10a38a0

SHA1
77c3ccda0f67902b9330e9881a74855924d8b199

SHA256
bb26225c82ce8e6c28e73db395318162084e48d6226786d53a109877bf8bd9e6

SHA512
2f7d3e0a111f5ebb14a9b51abb3f2c3385d13a6a5230bdb4f32930fdc9ba75442ea25278fb17d8351a8ce10ab18c7164e9ba36e2af1286f3dbbde5729d65dad5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
d21d81ccd02b847b93ba887c5853164c

SHA1
f81d728cc1a67014b375533ac0bef9528f782a96

SHA256
4e79bf6be57fde5b8ffcb6232994012e1d5c0f40f1996268d84f875258929d15

SHA512
6b1ff3a84ed62e737562f06ba4e52931c420950b638728dc551c398f5967b7819aaf1158b1e9958f9d5859ab54829aa6bc3937c4c7f3568dbf055bc3103093ca

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
aadeb30efe7975f50e59789500d648b8

SHA1
7447290be48e89a24286ae584177ae1e93b1513b

SHA256
05bdb65834bfac3adebc50999a20dcef62a9232a231d9dd37c2239f94f0cddef

SHA512
c68940dd7e166ce69089888d24d154e555d72e421e8c48ed32e67a77961de76f6f58753a94dae22acc7ed1fe49574fce3d7a29a0cd46e658a1573080a050ea20

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\20240522225740.pma

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
2cd879c3b1b25f881f4b7ab71b67a095

SHA1
e8c477526bb5bdddd659fdd44606060d83e703ad

SHA256
d15ec0b42a1305238584533da0ddd5ec2959a76896cabc74599185af8af9e92a

SHA512
95c25065ecb23b375e233d554beb9c5fb61d877f6b5586155d5b5931d270cedfd4508a8fde3dfee5073af2215b256d7cffde9f77923d41909d4168d9bc61123a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
81310fd81867b050c9f87ea4b9919c7d

SHA1
2c1110d96309b8fe9e073d2dea616172976bb74d

SHA256
fac26a71c212493b66d6dc637a39f3c1707782fd16e25a2873df70e9f1ca13db

SHA512
8b0767f5bca45d599962a5c174ad03076c1d4359f24a8a788936da489ddd45f0f72923e2ccba3f0caa2f137ade2313a6058f0794294d7dbda11622cee0342b6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
16545059455901d005ecd7636f649bf3

SHA1
316466b242c07e970a883a57eb3de29b8dbeaf2e

SHA256
a39ad70a8d2ff61424af615618494e06138773e65fb14a1f826385d618af41b0

SHA512
41df677064f24d39cf39f284c3445b04db9003192b8d639bbf3ffd4668f732c2415c0343ad718d3a63d862482e9b5a6efa795836953a82a15d5b192fd63a9983

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
dfa6c36e448bc8b35a3d1939d90fb47d

SHA1
afe37f3a428856cecade8f56414b8a1f3a8758b2

SHA256
42914d8b2993c3a2c500444edf6bbdfbfdba9f624ea0ba0896445f9ac14b9eb9

SHA512
c427f6dd3f5d9f526a56e7c7384f94e30476b9663848b09ba4a4941f00e09803b738648a52de16c141e5d74983351968391fd8619d3942cdff57563bd70c67e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe577ddb.TMP

Filesize
2KB

MD5
1f497c78bb1cefe5fae1f2d3e5c467dc

SHA1
12ec3f79d43fc239252d3812f8f0c2edc492bc51

SHA256
e7fedf1f3f9f65c94434b56a0a6b0be4a9773cb80c1fe09b6391adaec9849dbc

SHA512
f7ce6b59abe22c099ba4ded438dae24ad228fad07f742fe053c580f2c052a91d5af99bc7616681f0f377f8b5bbbe7ae2defab99203bd1af816724a1e63b62e92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
83a530df042065ce16b8a24c2c8e80ef

SHA1
d3906a554e70883bc7e338ddf619c1791a36d014

SHA256
ae6108248d75032e2cdc760d190da151141ea71184ff3940ba8f0a682eacb28e

SHA512
e536b100d82e57a00de6e249bb0490924bdfc5aa8f20cc997a6d341fc2bdd7ab2396171d561423f6b43038e7789d8e6612b3d13c5b12ed9825e89793a481c38f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
b0b91809b1d29cd4137d52a89c8dd236

SHA1
cee9e9a75b6f721a9896d6cb27cd11e1250d1176

SHA256
4fc432d99159ef0c42baeb35010f10a9665b86daee16eeecac4b9fdfc80cbbbb

SHA512
a0376d282ba538df5fef516307a3c5c21618d00254988ca8217a6617772f57aeb982dff1596c3f8248a5e24a2300903b5fe9ca8bf0488aaa76e8b071560144b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
7KB

MD5
ceda5f589dad4373d99c7e6913d23f33

SHA1
3431e46da464bbf803c816236f37171cbecc5072

SHA256
cb859c4aebbe2b59ef0ef3de8ba44acdb89c7f61d15bd65abd77fb35116f6a44

SHA512
0ca55c4f31a5636dc41ffa7b56824ad8e5d31f574b552b75831d5f3d06d8da96795f5f0b96c788028916c39a90e23b7864de1995a61bcad5b3972a249f80ec55

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
8652059a047b968cbe0f5b57182caaef

SHA1
2109040c60e2ec49eb6468904eb649ea37894ebe

SHA256
089a056f23978df4f7db7c4a273f1ec1f8e3f23f95fc466b97565d4be53ec37b

SHA512
eed95fc499f0696df9dd5866a73f7412c6a4ad3428575241abeb7cf3f0be0c9b992723d3ec7a8794b830729af51069db50e650309ad0e245057a18ed6e7013b0

Download Submit
C:\Users\Admin\AppData\Roaming\b5bf62db4b1389a.bin

Filesize
12KB

MD5
266e4a2ac669c8784a4dab2dde88f4e4

SHA1
318a0232ffc1f857a9211a560777b0bec540a6e0

SHA256
5e53a9f925a48ed2c803315b9d0954970425dc1ee89373614671d1e64883c181

SHA512
bdbc35b2e2e2350969d0e685dc8e58d3b52f045adf9fa27a26e19dc83860d9c6039f40d42b40bf912004a024a12666d60aa078b147a285d9fc13f855c213de7e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
f0f83812f519266e83a72a585deb4401

SHA1
4bc769aa97426ff2bab002f7efe79639dfe83a9e

SHA256
9720c93f982bdcd5cbc589db7cea1d892cfed7021b19f072137db57d2dda75c6

SHA512
50aeee0403947c397236677763eb8d38cf7a5a23effed85706b981314bccc7945580f893844578bed686ce8d09ee53cdacc69afdc06e34b308f0b0475e6597ef

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7251b47eb40d4ea6310d5f467b1e2969

SHA1
2bd37bda6fed39c4f71759001a34ecd9f7b0cc3d

SHA256
314ea4c9dc8b88470e08628102ac1646fb5d040c1d742f725e825061e2162b85

SHA512
e4d4458b20d24affcfb8cc0720c27b494057d4ee2c2405398ec67193f62ebfe8ae72f9150b73563857ff01c129473983b3e2bfdc6dd0b96c5fa0161a182969bf

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
43d0306f70e28b9ffc1bdbe399cef201

SHA1
c236b57ba29dc62a4f9e8497f9a229d7884ae124

SHA256
33e6e08382b09da1adaf46cefdb6b4512071294839650b5755e04ab9ddd93327

SHA512
6471e2d238b631efd08d581e49dbb797256a325929363d74fd152be130b90c6ef4298a4808c64daec431a98e940a64342863251c8db40a9f6fd62612f1183e84

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
9d7fc4fc7a94de02ee086ffdbecad45c

SHA1
d719b60e06573c6dc108f9c9e5d4a2ff1b9ba76e

SHA256
1e942c1ba6e602a9f9c927eb6f30394a401660d26a98ee4749900a078a8d4ce2

SHA512
6353edba81deb4bb689684472b9ac26dce581eb6714bc2fc8a9678ab586217b4da47270cf303c86d04fed2030427b71f2770648413fcad189ebbe17384e12510

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
500232864e0e1aa7cc15c16b9fea7ec3

SHA1
4114ac33f251bb3220b5584b1287a421b30a848e

SHA256
25c9a644e6f179a51ec7b78edd30ebe89f76d7ffdba16049fb7c971a17e56631

SHA512
f2868f13d984f075de927cd3fbee34a568fb661820e30116b4c891c7d9007bfa9983e54e42f463f5cad8015aba3e0ddc0f919f06036d367231256ef20e42b838

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
b6cdd7acbdae086f22a174f7f293bef4

SHA1
d50ee850bd26c4a5ecb4866542f53ca7be132c68

SHA256
ebcad51763a1ad33bd5794c98bb00504ce0846c7faea02ce2cea8aeeb52ddc88

SHA512
9e5503c31a840f790b8d8a97d1c50c67be6954b62e808d43b18335c3bcf6ca35669b9b66e4a2fc4db34de0a902b8e9654c0ebc09e76709af346bf56f40876e37

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
077411b24aed821128a4417dfedc3c5d

SHA1
d93fec81a13447c3e3956e6c10340009e973aa3c

SHA256
345fea591da3ac86d6506dbc0187ffa192d7fbd1cf82b4395f11c3546e5d2335

SHA512
341973b638eeb961e311dcea7da4ffef4ceaa78a938b27ef57e9b25f6e81c4226de4601fd5484e337588677483b7cdc8ee57b121d5634381d772e9754037a778

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
69a040ea957f9574de57cd905ccffee1

SHA1
fe8a62b9e5386e056de7b4001de2b61419eafc85

SHA256
3fb7cac358bc5e9ad95a4f230e14e55d747f5988bd725ee3940f573e30bb750e

SHA512
2cacc305f843bed04b5935a0303e35529ff081dd1127145b211d09bfe99ec978cbf8cfb341a4c8ac9b20ecbc8cd55944e58f8a8549ef23ee1362f7e7f1ece509

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
0498eb1dc24b07dd27f6d788c62c940e

SHA1
3498dac8f43075a61d5e0413f9110bdf1339a106

SHA256
34539c42d6c19c03ff3fda0aa374d8ee25a89363ed4cf84973e638a3d7570be7

SHA512
a7a385882b73a52f26f4370bd991aacdb8c9f5ee528c0a3a28de891017522e9c0923d3c3e8b703f42d246815ff0ed0e200e9b0bb09693169fc3faa85b129d654

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
60bb50f7f62516e8e0202ff9e636dced

SHA1
d7a9f720773067e2460a5064e88470c9cdfa9f2a

SHA256
189638f62549fa3d4e08b9837b41a55614b311300dbec7a86ef0c69af6c48039

SHA512
1c9e80e0ecb9fd11c528d81c997ba04dd4b41ae15bef1ae2fdcd25a2a1b49431a3d43637dec7f96f22777f07c954f006eef062bbf95bf65d986b8cb7ddb41e4c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
e4dd2fc1d7bd46374dfa3fbfd4ee6807

SHA1
95d03e9d36f847ff68df51ba20e642f1a4fb192f

SHA256
d1ad6aaad62abf115658490f58ff930e01bbda04ab55c6a2778754d6f9222d99

SHA512
62a5048857850440914b9181ef3060f64a833a19cf2fa17f26c0fb1450d51bd0347574fad62195db356a229c2ccac09993c38dfa7ec1f51a7d390a6c0f537dce

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
87c159a71f330307a6264282a5a48087

SHA1
3812ceddb61ec092f236b9ae6d5875c8c2599ef3

SHA256
de0cda890cd5a215dd755b4a99de0277880842afdb58097f345b9eeeb13488b7

SHA512
1511946be9006e01b818720b739e07b401f7114c84ae2d6b59e34f214ecf65998be86b91450eb15c95722cc4871eec77afcd9e3a8c3e02b0ccc963b362c93c94

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
6abe5d1ec94778c0f0562d4f8e298c5e

SHA1
f6400d74dff70cd383b6eda16abbbb7a859261ef

SHA256
2e2198089502a37bd2a721ac2c09666a6f8f4ebbb3cfe28a64081cebec87bb86

SHA512
2c3a2bd35facd02736099c7980b6e01cc492701aaf7186273921cdfe6480b0b9925e972a5c7aa6605b9f91c7295f8fc3dd86047854d5840c5c5bd92ccf0c00bc

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
a11bf3bd1a4340accfcbbe93f7d36ec3

SHA1
a3587dc45f8e7c0cb89198c0ba01fb6ba8158935

SHA256
6dd7f5c54da2278e1a6dc0aa96a500c24850026787c3b53328427b9a3fd112df

SHA512
6e6b000467ea1416f5a67b832623779eabdd1331cc34ffa07e76f7fd7de2317af2448f5aa65e68a19eadc4933fe534fc1238d42911703cadedab82c20d75e3da

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
57a0057f7693409ed65ca67772615f12

SHA1
044225343f5d3280f61726fab697b60cb071fd92

SHA256
b924844029efb3b611ad3d48192db36e0da21fdd3bd13ba8a7d037877db5b399

SHA512
d81d94b624becb17c9335163108083290dfe93af2c36f2f2f85a78403dbec7fd9ae15ae2b66becc3f91b403cb5a1f4aa460d075a800ca90c478ff12a53442047

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
8de3d64c4adfc4ba700f98b2ef9de151

SHA1
43e8ca8577949adabbe64ce8e61a8add60c36036

SHA256
234e384c77fa8c0c659a633db112c8cd0e92c0c36849dc9691a038a61565fa47

SHA512
aa6fae1fe2b17f24bbddcb5d4c128d238644e0a73e4d849d60230810bd4874f37eab216b0469662fb4dd0dc37042713e87cbed35769a013d0932d99489bc5b5c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
a68ae1e142bc2339cf955e02d9372d9f

SHA1
a4e958aa78ce5f6748f2ecfcdd66396310948237

SHA256
4fed8896607872862b0f4f41be4b2d8ff6c33411a2515f5d9e6ea453c07f0081

SHA512
e4a24ea9ac8377175dba95da3c8fdbee5467bd6ac5d47fb87b2275a71fb00d4958398f37f194b22d1300ab7e35e5cce5a242cfd0ffeedbda5587a1b12bc1e0c7

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
565b27041ea11932180482170730748f

SHA1
c6b6f6c6bf795b3d743952c099b3f1a292b1fa52

SHA256
dabc7de27452a1ab00209d4ff2e7c5f7282a71c09249f42ab0a0516163e9da1c

SHA512
86cc2b0a9871635700c31094356d5466b01a81b53656b37f81964fd6db8d54e8ee0d578307a1392269abb7870c5b85890190267c5aa1c650cba0522037267316

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat

Filesize
40B

MD5
b2c359ffd4bf582baf62f6e8adf87a6e

SHA1
8e9a26cf9202a00b2f38b9cf92a2cc0fa2e76b79

SHA256
ee8fad0e09119ff89b6f13fc18df351e81b41199adfc10acbfeccbbb88e02a9d

SHA512
1b1cddd7353d0e9300f1c661feda7f8d1a71e6d90279cb72c3adb51a7bce9c64e2fc87777926db50a8d41cc945445821d1b3cc1628f7446a7c03e64bcf8aff92

Download Submit
\??\pipe\crashpad_880_FFBEYMWJTYKPYXTQ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/224-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/224-9-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/224-21-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/224-36-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/224-0-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/840-241-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/916-685-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/916-248-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1116-243-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1592-253-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1592-69-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1592-76-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1592-70-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1652-379-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1932-99-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1932-121-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1932-110-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2068-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2068-58-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/2068-64-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/2068-118-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2204-370-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2336-567-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2336-591-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/2460-132-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2816-247-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3020-240-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3112-621-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3112-246-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3204-755-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3204-580-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/3232-529-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3232-28-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3232-39-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3232-40-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3280-377-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3280-686-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3300-242-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3372-92-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3372-84-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3372-90-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3372-622-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3632-376-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3684-687-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3684-378-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4208-386-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4344-24-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4344-239-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4344-12-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4344-18-0x00000000020B0000-0x0000000002110000-memory.dmp

Filesize
384KB

Download
memory/4512-250-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4748-55-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4748-52-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4748-46-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4852-249-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5588-538-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5588-602-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5728-754-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5728-553-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download