b04a52f1c888caaac2ffd73a97fa2e4320909baf142a3d26e121ac9718f72dc3

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
Size

5.5MB
MD5

8820dfa2ecc6d455b9cdeb76c0fd4980
SHA1

ac948e9f7756886f650bb5adf1a379471fab4057
SHA256

b04a52f1c888caaac2ffd73a97fa2e4320909baf142a3d26e121ac9718f72dc3
SHA512

1268bb1658647534c096cc63701b5aed6d52226b2d305daec2006c2e36c329300b76b98306ac888052ceae5eae594ae388244b664357961fb7e9b286b0ad6326
SSDEEP

49152:nEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfT:zAI5pAdVJn9tbnR1VgBVmhDb0

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
1344	alg.exe
2064	DiagnosticsHub.StandardCollector.Service.exe
4512	fxssvc.exe
2572	elevation_service.exe
440	elevation_service.exe
4896	maintenanceservice.exe
4860	msdtc.exe
1228	OSE.EXE
876	PerceptionSimulationService.exe
4528	perfhost.exe
516	locator.exe
2996	SensorDataService.exe
2276	snmptrap.exe
4552	spectrum.exe
3188	ssh-agent.exe
2580	TieringEngineService.exe
5300	AgentService.exe
5392	vds.exe
5488	vssvc.exe
5584	wbengine.exe
5720	WmiApSrv.exe
5848	SearchIndexer.exe
5796	chrmstp.exe
5264	chrmstp.exe
5404	chrmstp.exe
5128	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exealg.exe2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c5703cf892be0f3e.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{4B7946F8-973F-4AF9-AEA7-D50B80611631}\chrome_installer.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\java.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exechrome.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001fe7b6ca22aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000457c4fcb22aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008e1b2ecb22aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e38676ca22aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000255aeed422aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008eaabbca22aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000d5eadca22aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000092580acb22aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610603335697798"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c49989ca22aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a7d1c2ca22aeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000475548cb22aeda01	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

1912 chrome.exe
1912 chrome.exe
5256 chrome.exe
5256 chrome.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

1912 chrome.exe
1912 chrome.exe
1912 chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

pid	process
1912	chrome.exe
1912	chrome.exe
5256	chrome.exe
5256	chrome.exe

pid	process
660
660

pid	process
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exefxssvc.exechrome.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4292	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
Token: SeTakeOwnershipPrivilege	732	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
Token: SeAuditPrivilege	4512	fxssvc.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeRestorePrivilege	2580	TieringEngineService.exe
Token: SeManageVolumePrivilege	2580	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5300	AgentService.exe
Token: SeBackupPrivilege	5488	vssvc.exe
Token: SeRestorePrivilege	5488	vssvc.exe
Token: SeAuditPrivilege	5488	vssvc.exe
Token: SeBackupPrivilege	5584	wbengine.exe
Token: SeRestorePrivilege	5584	wbengine.exe
Token: SeSecurityPrivilege	5584	wbengine.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: 33	5848	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5848	SearchIndexer.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

1912 chrome.exe
1912 chrome.exe
1912 chrome.exe
5404 chrmstp.exe

pid	process
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
5404	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exechrome.exe

description	pid	process	target process
PID 4292 wrote to memory of 732	4292	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
PID 4292 wrote to memory of 732	4292	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
PID 4292 wrote to memory of 1912	4292	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe	chrome.exe
PID 4292 wrote to memory of 1912	4292	2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe	chrome.exe
PID 1912 wrote to memory of 2660	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 2660	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 3156	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 3156	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 3156	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 3156	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 3156	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 3156	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 3156	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 3156	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 3156	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 3156	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 3156	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 3156	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 3156	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 3156	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 3156	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 3156	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 3156	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 3156	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 3156	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 3156	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 3156	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 3156	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 3156	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 3156	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 3156	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 3156	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 3156	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 3156	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 3156	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 3156	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 3156	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 4856	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 4856	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 4104	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 4104	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 4104	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 4104	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 4104	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 4104	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 4104	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 4104	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 4104	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 4104	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 4104	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 4104	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 4104	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 4104	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 4104	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 4104	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 4104	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 4104	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 4104	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 4104	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 4104	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 4104	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 4104	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 4104	1912	chrome.exe	chrome.exe
PID 1912 wrote to memory of 4104	1912	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4292

C:\Users\Admin\AppData\Local\Temp\2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_8820dfa2ecc6d455b9cdeb76c0fd4980_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x254,0x2d4,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa650ab58,0x7ffaa650ab68,0x7ffaa650ab78
3⤵
PID:2660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1912,i,3998359622589072687,13546232694210028756,131072 /prefetch:2
3⤵
PID:3156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1912,i,3998359622589072687,13546232694210028756,131072 /prefetch:8
3⤵
PID:4856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2064 --field-trial-handle=1912,i,3998359622589072687,13546232694210028756,131072 /prefetch:8
3⤵
PID:4104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1912,i,3998359622589072687,13546232694210028756,131072 /prefetch:1
3⤵
PID:4920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1912,i,3998359622589072687,13546232694210028756,131072 /prefetch:1
3⤵
PID:4400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4336 --field-trial-handle=1912,i,3998359622589072687,13546232694210028756,131072 /prefetch:1
3⤵
PID:2644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4296 --field-trial-handle=1912,i,3998359622589072687,13546232694210028756,131072 /prefetch:8
3⤵
PID:5028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4496 --field-trial-handle=1912,i,3998359622589072687,13546232694210028756,131072 /prefetch:8
3⤵
PID:1672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4632 --field-trial-handle=1912,i,3998359622589072687,13546232694210028756,131072 /prefetch:8
3⤵
PID:5260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4528 --field-trial-handle=1912,i,3998359622589072687,13546232694210028756,131072 /prefetch:8
3⤵
PID:5904

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5796

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5264

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5404

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:5128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4556 --field-trial-handle=1912,i,3998359622589072687,13546232694210028756,131072 /prefetch:8
3⤵
PID:5304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1560 --field-trial-handle=1912,i,3998359622589072687,13546232694210028756,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5256

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1344

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2064

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3660

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2572

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:440

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4896

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4860

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1228

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:876

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4528

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:516

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2996

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2276

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4552

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5008

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5300

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5392

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5488

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5584

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5720

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5848

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5300

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
2⤵
- Modifies data under HKEY_USERS
PID:5536

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
e0f4294543690e842bb54aa677d3db0c

SHA1
5b900ef2892996376773a9eb739228a486601c50

SHA256
41ec0d86fe37e17c3aa36ff1b88745b4d381de563c0a4ca30af21e9b737b836b

SHA512
1b4973cabc0391e9de616aaa187149551017dda02e46ec2ade20c8389c33c304de061ad82897a01f90206f3cbc04b10e6ac21459689d71529fb94babb644cc95

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.7MB

MD5
4ac30546d6cae02292ac708d1514236e

SHA1
d20f846ea4c4a5e110306087bb90b1364805d965

SHA256
7baedcf569aa4ed0801b84c2ce211dfbd60c8814e6fbf534560d2377ca772d49

SHA512
f4873f17bf5d71b42ceee135de76f83cfc8c895b1c7d64529e84e60add7ed92bba5aa2ab1d3d5f32e7078d5a6c0113f7977e4bb43566cccab8598fe8fce61788

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
325c32f9ec76c45d0ab31eb4a04c4e2d

SHA1
88b59107f3cf0225f638673fa768534fc4c2ce12

SHA256
125c70503b0363039785ca1e19e265fd4a1b8413a01a33bf51dba44d16e88c20

SHA512
af1270946a10d43e20cd6c6ad56e107f7b95c2cb9d03699e805072d99a943699b2ae9c5022479456cf57dbdb1674cb0e29cfb98833f0d7642311c21dc6e414f6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
2a6122b69748739858928490b878470d

SHA1
7c7553d57fdbcb320737df0ef127266933ac5b65

SHA256
a0a65c126600572c50e6a9c1242d9afa4b78da417c625beb10cfecd78bc3f0bd

SHA512
b62bdbec758f82486900c1ce968fca6de5b86fa9e45f67992952e0dfbc1fec96700bf592b3cb44d92b7523f17133edf410f72a2acc9635723caa201dab417fa7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
c6ba61b534e6e4875fcea1e4c2feb9f8

SHA1
26679cd9624f59072f8bc2a14fb871d9e054ceb3

SHA256
3a7b7c7ac67dc85a6785099859b98d25ebb158a00c524a6d9305e646cb9edea5

SHA512
36390fca944143e5d9e896a5b5768c450db99ff23715c98b97a9246100c20ec456f95be9f0cd78d3557b9a7ac2bd7a7835264990d24fa108d215aad3c141ae9f

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\20240524213855.pma
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
6123155f7b8a202460ac1407e231fbf4

SHA1
13121f6000a380f6621bcb8dc7c83f9cd10ab626

SHA256
dc3766fd1d9f14e305d5483a9e886548c3ff3ad2d8497e26a04c6d8c31e7be6c

SHA512
ef2e48a3517f58cf068d2ed9e202ba4d2a54afdccd4937c74b5c84d5c4fd47d9b92ddcf3b842a102b426dccae53ab3bc9e571a5cf27cb315be4dc58bdaad34cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\09994f05-88e3-4917-8038-b1ceb8ddae04.tmp
Filesize
1KB

MD5
396522a18cacb88f8d88bd4bbcb05dd6

SHA1
3daf73c3c94e5ad1acc91a9644bb5f55e85bc2c8

SHA256
28088fd64be5917727696a3069a61c3c84333aadbb9b1c669309706641c32e72

SHA512
02aad9ee9b6b0d3f0dc51a0fdf3343be8125be3a31dfd8b5fad534055599267e4ca199ff68e5e6fd114752ac1d976c7d857ce8f0d16e9a8a0dc95d545f4fa24d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
b4e4e1876d974ec8f8ad239bcfe12a20

SHA1
bf04368d202331285dfdf4dbcc4566fe6baacfee

SHA256
2aeb6a8d9559da0207a4218c8faabebf88df37308a917b25386461ef043209fa

SHA512
b4b98e538fef084fc35a8bb202d89690de82bfb856c03186e76c17ce8beb126073b1aced8b9e0bef11d7e6e46fe42d971e1cb5d95ec1bb8a519a317676f46e08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
354B

MD5
712f4a490fd4575e4526d769989aab0c

SHA1
bba1f843cbd9f5ef5e76ecb6e9f5dcc64f1a861c

SHA256
92d2c0cf1c80b512b5836cf78d35549ad8e45cea63afb7eabed72e1274ad7f01

SHA512
0b805b1e33a4f91d9562e71fca5a1abac512f00576a65206fb5a5757ecd548bbea4b66f0c902d0c58c4da95494e6d338c1ca2643e07c9b9f6ab3a985f3978799

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
0df4baf249be4f44667962ce5f017b97

SHA1
205e01f2a7bf01d30eacf665795c4fad0e3a1a65

SHA256
7c660ad2f18a2af8f63b9c8b2858c958a21d582d4fcbcd2f70ec3cc0f1b87052

SHA512
791b5865e8e109c81f7941ca8c10b22ca941f51e714e87ec425974f4dc67c51b59f086a8270cfeb12916c470e72f22cd12d8880fe856f1dc5a8b63e1d45c1d3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe575e0e.TMP
Filesize
2KB

MD5
80c9ece824708be3255fd46fed4fa84b

SHA1
6ab10396c88f4760224c2820d198207c54f01266

SHA256
1f8af8464e8755fd26db7cc2bf44b59934126100a43b00a66da96ef4bac4e336

SHA512
c8e8c5ce9c0607264264ceb4ccddc869543fc5b9d3929ad42904cefd147938d6523ee61e5ed2f6f46fba1e6c92f8b6dc14300f4c6c7cfb295fe3274677d9ae2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
046078c70656eba64109ca9a7b106fd6

SHA1
85ef63cc1788aa752953ede932a6085bbcb808a1

SHA256
f8ec44930ab1af2615d586182269d70b914d0d8f199746ec434ba03f48e0ebc8

SHA512
00e5e8145ef195137b915d30de169f4b234fc0cf5f8ba6704ad96671610d0e409a7c1ac2cafb2affb63d87d1d3e7d87313ad36ae76fe3af41e9b35fdee8bdf35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
2867d39f20ae89fbc51f3ba38640ff6f

SHA1
20a5e5a24e84941d0381786e31159fc6ced6f753

SHA256
646505ced8f8ee7d170cce7993a3923804f82c8bfa6acf4acba278ac0d96be02

SHA512
63eb7685abda7cfc016f3f69b484bf32f0c47a67c8fb52ddba91bdf26ad4aee19fd67fbfbd1243ff308cf23470ea3b2c8487f34c21239405db1e14eb5c5f5018

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
bfad71c9fb18ff6add60972572768509

SHA1
cbd2bd0d7e17adaec74b532360f250a360d699a0

SHA256
c3fdb77970f1ff72ea06c6e707ca80b038ac1abaf6e1dc327a304d9ab38ac9a5

SHA512
a55d2b3fc4c10bfb98db052fd6620d664b25ff604977a15046dde654b4ae95bbd29d25ea56b7845ebf5d33733e9edb070fb3bcd946929ea9f6feb6ee4cda20f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
d085fb01be74c64181ab6cbe834364c6

SHA1
c15e684346c52f1738c1bfc3f33485a2f307d485

SHA256
ad72218a5dd3608f74c22598df85305f23740295db40ded447982ffc0870338f

SHA512
f057ce4c9e99ad2ef3e9691d4c6968e889c1db2ad9811ce097518c9a054c0f1f5dbb398dbd82aadc1c60af76d8d3c4dd6ce11826cc420c6aa4ca2790615da4db

Download Submit
C:\Users\Admin\AppData\Roaming\c5703cf892be0f3e.bin
Filesize
12KB

MD5
a13328b1cf3e8602ad2e5d961b1f50ae

SHA1
f900e904a63fc7ccdb3667ac0776cdd91e300765

SHA256
e91e951295baf0213e9ecf415207df4a06e1f5e07dcfa664f7e64abaa3a4fb43

SHA512
e4e79b332ec453ab988a7db08e2ba84d2e4a4c4313a76f2b11a0f777064bafc21e430024c692290f037b9996393ef9e012d47e3c6936844535e40140f630cc8a

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.4MB

MD5
86c604e9e905d76bc12f4a0ac03840ba

SHA1
65987c36d55138d20f6cf0d899c15baaf462f875

SHA256
147de018e3f1bf419cb20c23ddf1caa3f71942fea42359b4a33652ae379db532

SHA512
185d9de8c4935008732e193cd189389f65f6e9b6a0f7ea4a6179b768ed34256e8fcc6dc1250a0984ce4b5148646cc64cdf909178b90607054b108e460c0ef261

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
9256b93a7d4e67f2fa7d4574c8ef827f

SHA1
cd3624ee4ffe63f21197afb0839aa360dc3d1b46

SHA256
42a0f96bd45dc63fd4f4b879f1e1e8de4450fd387f95706d2644cd708b5377b5

SHA512
009dd7255321fb472b0c0b17c5f2f0cfc11c2bd179fc372ee8c3999947f4b0599a3278875f5de92d28de2503ccd122a71e716541ed486550dbdd4fd7160dbebe

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
0e7149a54bfb28bb2252d9f3b72a8d3f

SHA1
085cf23f4dc8cd415b696b196c84a94263866b14

SHA256
d58db53d7372aca029fb244972b95bc710fcbb572ab9ad422353a6ec26c97262

SHA512
29184fec846b5423d7296d212cd4a40763b8a7181904ebcdbf49bf84f22dfe21cfcc6811243b2a37dedab01b432cc1713d7e47264171bf6659d9da0958a4da84

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
3357408a71db7ad956bb50015d7fe405

SHA1
1a766f4b1f97e75ec4baabba328039f815386703

SHA256
ac63c6843b75985fb6eadc34b7da0259a48132714f5051c63d98774bfd4bfe42

SHA512
0a59158f60049afa4102cecad0613f1d13aa15d10969898629fdb54725f66cf34f4186bba9e3fc4f097d0b89992a96364557ce75712ed560bab2e001ea30826e

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
e60f9a258a110e1a555cf1dc19c3dcdd

SHA1
6bb2062316807eba3018e211ef0b34faa3e65660

SHA256
2792c535704baf6078c89f93700561083c4ee19573849e3777040e11b20c00ca

SHA512
9f51e40cb2da22f677e93825e1c99e94fff96058a1bc7fb8cfe9fdf8b5419a101cea68953bcbd3e890227491d9ce3765c26214cf6a2f02aaa4a6a5e4719db268

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
b4f9e972da2c3668e77e3c56c5e7cc08

SHA1
532f2823f028cf3ecebc142cac11433da9efe7b5

SHA256
2c009c2c22af233a21eaa485fee43b8bc8c11ea2e940ddc244a3c8cc0153c928

SHA512
d396bb77978f2a8cc89fc240c8a7e80e4e415fa62aad826fc75d59ad208ff858d21c5e4a686fb3c3aa6d9dc1b416f288f53da3fd76acd4b35a19822c5c239526

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.5MB

MD5
5d4f45f39e4e6386f5dd9c2c4ffb6c04

SHA1
761e8e3c047fe07a5f580687cae63790170a1b78

SHA256
131191638cfbd8a83546aba1ac1632c0577c12fb21c2e2ddfa8cf418c4644e80

SHA512
e4b625bc4049315b5491d5696f7bef5801d2cf87f3a95630ca9fdad1edfcb08c056fa87ce14abc64cf51aedcda271c400fde957974d8d809f68b41e8358aad9a

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
548caae2f04f4ef11f144412355d335e

SHA1
55fff01f6146207e60d10f96448968791208e3f7

SHA256
e210e8359385590c0ad1a9fbf9bdccd4a75cc412563aee1bf15f671747c966e1

SHA512
ae558bdff965cbf2ae7edae65f327427ef390ea63c277bd54d6067d0bd6f4ebe2b4d58805cfb48cf4a6529771f636e58e3c7812629b042f0761bb4f6f765cebb

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
708ff2442aa9ca71e5aaf5982837e80b

SHA1
acc0e1325fb85be2542817ac8f68d985d775c38e

SHA256
59cb26a45e50104212bcc8e329252448ba41b64489723b09d64f642dc65d5416

SHA512
0e34e6a2552f5fa2efcef0897afb31ba5cce830d10acc2a8b5fcf7f7e22dae5a9f55962c76d5f37bbe97e123a764b76a4ed2efb1181937dde14684bb700cb704

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
68942400ceb9d92b0c17e61113ad4f21

SHA1
615f748b74b266be59a16aa9b7fa99e2a95d5f9c

SHA256
abfd0a709a28e3eaddbd8cfd11e2d38f916799e5847e75ad1dc6cfc0a35b10e0

SHA512
76b1de4d1039f61e87f28ef861cc098553dfdef083b9a6c09ea2a4eca7a4d245b005962ee222d029144329f2467c7568de4b52523d17bf203761b0dd3a90cbb3

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.7MB

MD5
dae71b4b7a564d609d9175b126469a36

SHA1
694b685b15b1c8cebd22dca2d22fc4933ebd1e23

SHA256
fdd4cea2758473c9a524b7d56fc2dba4f7253d28b301ff11898a61b3500fb414

SHA512
a1c9701828048b722101c97ddbd94668dca053cf596917506162d85f7aa8a1519de2c143ea64d559dcc3883113e34891f76046de132f298b447fd2c4715b7977

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
4d0b65b1d469f96202e86a8752dc69dd

SHA1
7dd047fc1ff1e4c33426eabaf7a3eaead2baaeb8

SHA256
ee10450583f90eb3b43dfc8761fb4609d28b690b9cf23ee2ead199f73834787c

SHA512
77459786e238ffe4bd2f8a3d258f108ec75990d32284733c1dc4e780c10cdbe0962f8f2714d09520e2e362ee52ca5cddcc520c2adbac09cf2f05ffc98f9e716c

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
32594efce268dfa7b3633f1f965e250b

SHA1
ca5b1998031e49308f338080c668077a2fa39ab1

SHA256
bcc6f191cddde675e72c0893a33d4ef74df9fbd6381b2179f8fb813e25600e87

SHA512
666388251e121dd0ab390ac2cefa334f8eff608b92635092fb2f5be95c87ad913ce0963b95eaa5e37f5ff6235059823f49253783e182d61afe9635382adec7ac

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
fdb079ab4a6776a1e8153149acd8ced6

SHA1
d72bd8f71d809e750518b55c8ad4fc29d9f2c0e5

SHA256
8df39e64778a56cbe85a02a1232af8bd4f503404b2bc65c94abb0b8e75965341

SHA512
b2594c90183dc736b83c442adb816182a54261037980c18d48b745a02be9dd472c4323d3dff2e1efa7676d446aac9eed7bd712a63061e9cc3e8870854ad72e1f

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.4MB

MD5
afddab1e82731503d7e8c5858a59b1a2

SHA1
72ddfeb5aa648df4e96a243fdf7c305a371a6916

SHA256
90e13fc69e400a77bb7623d29667566f0513a73f9625099d08412706bcaa309a

SHA512
7d4794c98407b4b90711e0c1b8913a203eb87fa404d8b402011a05d8670feabb09176752f429f8a1922df379a4895cbbfd7666bdc6382a8412ddae118f3b400d

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
a0d2ac5f36ff61b3e30ccbf27c1ad3f4

SHA1
32bf0ded85076fcb8d7e60048ac22487e4f77856

SHA256
43c0b21d69c0922c604d6b422fb9598fb52ffc1d1a1b2d6324f7f89a8f207570

SHA512
aca417ac5771a44c313f1220a1180019bc0fc8c084c8c9f7453f0c2efe8a1cf0bdb69c22b34795837b2b0c4dca9459e686420269eef9777bc846756eb9f22949

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.6MB

MD5
cff16fe661740a0444f42243ef0234be

SHA1
22ad13fb43da415ecc726778493453e7e2d58fdc

SHA256
8fafb7c13f9d1d8721028dee46da3902a47786fba854c68cc020d452d1c6b610

SHA512
57cfaa32dadb3d3d31e8d0ca8b5726ee54b3e923fc58ee45066360c0dbc85e49ce2d8e145893f41d1b1b279e991908cb7f6cab2fa340c4c15de06a0031cd8de4

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
2b536f0c0e81c6dcb663495556c6171b

SHA1
eae6e31e56a4577251a4fe95aaf0a45b3aa5718f

SHA256
73021cd81c920d997ff414f133ffb555de6626e577771a13abf58366a6d9132e

SHA512
3e5f65e51f3fbacefd17ce787723a36af62d693e5030e8a5bce045a13c6b9a30d35774e2383fdc50eb052c89f12d125d4fa049151568a9c0870f0da8b9a46607

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
f8da1e3912337378c0f722f616cf6aaf

SHA1
22482c3e69a3b76d24d4e88d30e345654afd0338

SHA256
342768ee193e599905624366abf160660028ba384d57ae4da8734bc9473b010b

SHA512
b72adac4dc3ef8cd0c1275eaf376da652f8aa271a162aac1a54571f6f93c0e5fe9fec69a9cf380f84fa3ce438f06e3c9c2493a1d422f5d1bf4c46d6962ca9f47

Download Submit
\??\pipe\crashpad_1912_ZWAOSAITJTNMBRQA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/440-81-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/440-90-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/440-261-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/440-87-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/516-177-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/732-19-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/732-11-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/732-20-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/732-159-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/876-160-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/876-300-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1228-147-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1228-288-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1344-32-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/1344-202-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1344-40-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1344-41-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/2064-46-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2064-55-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2064-54-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2276-203-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2276-476-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2572-77-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2572-75-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2572-69-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2572-164-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2580-522-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2580-239-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2996-627-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2996-324-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2996-188-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3188-226-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3188-516-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4292-25-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4292-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4292-0-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4292-30-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4292-6-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4512-58-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4512-64-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4512-67-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4512-105-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4528-176-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4552-484-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4552-214-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4860-117-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4860-276-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4896-93-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4896-108-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/5128-685-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5128-543-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5264-668-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5264-496-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5300-270-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5300-274-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5392-638-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5392-277-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5404-556-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5404-518-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5488-297-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5488-660-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5584-301-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5584-665-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5720-321-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/5720-666-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/5796-567-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5796-483-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5848-667-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5848-333-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download