d87a1fd0dc1de166a2a5bef60285999001582e368f4b4c6acb467631ef7d4997

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 21:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
Size

5.5MB
MD5

f9b5d75c63f54c99d6325a717e76a5fe
SHA1

9324f09d22c40340b6dc9e93dc0b3ef387fad538
SHA256

d87a1fd0dc1de166a2a5bef60285999001582e368f4b4c6acb467631ef7d4997
SHA512

8f5829442a48486e2f3247b4b57ef24eb2b78e0b6a021b0e1d9403e8450d5e49d4c1036585b4c74955222e3bac59a9420ce12c59b780a6caa53ad9c97dda44ee
SSDEEP

49152:4EFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfM:WAI5pAdVJn9tbnR1VgBVmW8F1b6TwY

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3360	alg.exe
4396	DiagnosticsHub.StandardCollector.Service.exe
4688	fxssvc.exe
2772	elevation_service.exe
2128	elevation_service.exe
3916	maintenanceservice.exe
4424	msdtc.exe
1672	OSE.EXE
3844	PerceptionSimulationService.exe
4692	perfhost.exe
2856	locator.exe
1344	SensorDataService.exe
2168	snmptrap.exe
1992	spectrum.exe
3284	ssh-agent.exe
1656	TieringEngineService.exe
1052	AgentService.exe
884	vds.exe
4740	vssvc.exe
4560	wbengine.exe
1680	WmiApSrv.exe
5212	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

alg.exe2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b3a42c29c8648821.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

chrome.exeSearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003cfb974924aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610609762632458"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000044fe14f24aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000079c5d74f24aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002499954924aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd62d54f24aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e4cfa45024aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid process

1192 chrome.exe
1192 chrome.exe
1192 chrome.exe
1192 chrome.exe
5768 chrome.exe
5768 chrome.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

1192 chrome.exe
1192 chrome.exe
1192 chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

pid	process
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
5768	chrome.exe
5768	chrome.exe

pid	process
660
660

pid	process
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exefxssvc.exechrome.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3876	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
Token: SeTakeOwnershipPrivilege	4772	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
Token: SeAuditPrivilege	4688	fxssvc.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeRestorePrivilege	1656	TieringEngineService.exe
Token: SeManageVolumePrivilege	1656	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1052	AgentService.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeBackupPrivilege	4740	vssvc.exe
Token: SeRestorePrivilege	4740	vssvc.exe
Token: SeAuditPrivilege	4740	vssvc.exe
Token: SeBackupPrivilege	4560	wbengine.exe
Token: SeRestorePrivilege	4560	wbengine.exe
Token: SeSecurityPrivilege	4560	wbengine.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: 33	5212	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5212	SearchIndexer.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe
Token: SeShutdownPrivilege	1192	chrome.exe
Token: SeCreatePagefilePrivilege	1192	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

1192 chrome.exe
1192 chrome.exe
1192 chrome.exe
5588 chrmstp.exe

pid	process
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
5588	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exechrome.exe

description	pid	process	target process
PID 3876 wrote to memory of 4772	3876	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
PID 3876 wrote to memory of 4772	3876	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
PID 3876 wrote to memory of 1192	3876	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe	chrome.exe
PID 3876 wrote to memory of 1192	3876	2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe	chrome.exe
PID 1192 wrote to memory of 3140	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3140	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3080	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3080	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3080	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3080	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3080	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3080	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3080	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3080	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3080	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3080	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3080	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3080	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3080	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3080	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3080	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3080	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3080	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3080	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3080	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3080	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3080	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3080	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3080	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3080	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3080	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3080	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3080	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3080	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3080	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3080	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 3080	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 1812	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 1812	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2028	1192	chrome.exe	chrome.exe
PID 1192 wrote to memory of 2028	1192	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3876

C:\Users\Admin\AppData\Local\Temp\2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_f9b5d75c63f54c99d6325a717e76a5fe_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe5429ab58,0x7ffe5429ab68,0x7ffe5429ab78
3⤵
PID:3140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1932,i,17196873777076832018,334186639555457871,131072 /prefetch:2
3⤵
PID:3080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 --field-trial-handle=1932,i,17196873777076832018,334186639555457871,131072 /prefetch:8
3⤵
PID:1812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2076 --field-trial-handle=1932,i,17196873777076832018,334186639555457871,131072 /prefetch:8
3⤵
PID:2028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3032 --field-trial-handle=1932,i,17196873777076832018,334186639555457871,131072 /prefetch:1
3⤵
PID:668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=1932,i,17196873777076832018,334186639555457871,131072 /prefetch:1
3⤵
PID:4544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3508 --field-trial-handle=1932,i,17196873777076832018,334186639555457871,131072 /prefetch:1
3⤵
PID:3204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4420 --field-trial-handle=1932,i,17196873777076832018,334186639555457871,131072 /prefetch:8
3⤵
PID:1284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4564 --field-trial-handle=1932,i,17196873777076832018,334186639555457871,131072 /prefetch:8
3⤵
PID:4284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4692 --field-trial-handle=1932,i,17196873777076832018,334186639555457871,131072 /prefetch:8
3⤵
PID:3160

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
PID:3636

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6946eae48,0x7ff6946eae58,0x7ff6946eae68
4⤵
PID:5544

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5588

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6946eae48,0x7ff6946eae58,0x7ff6946eae68
5⤵
PID:5644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 --field-trial-handle=1932,i,17196873777076832018,334186639555457871,131072 /prefetch:8
3⤵
PID:3168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4676 --field-trial-handle=1932,i,17196873777076832018,334186639555457871,131072 /prefetch:8
3⤵
PID:5360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 --field-trial-handle=1932,i,17196873777076832018,334186639555457871,131072 /prefetch:8
3⤵
PID:5164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 --field-trial-handle=1932,i,17196873777076832018,334186639555457871,131072 /prefetch:8
3⤵
PID:5168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 --field-trial-handle=1932,i,17196873777076832018,334186639555457871,131072 /prefetch:8
3⤵
PID:5420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5068 --field-trial-handle=1932,i,17196873777076832018,334186639555457871,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5768

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3360

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4396

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3744

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2772

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2128

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3916

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4424

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1672

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3844

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4692

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2856

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1344

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2168

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1992

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4556

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:884

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4560

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1680

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5212

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:6004

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
2⤵
- Modifies data under HKEY_USERS
PID:5844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
15afaa9238e278b5f13e50b4e6a19705

SHA1
f206a490ba5d2f7189beef40bb368900529ab4e5

SHA256
3f5c3137784914e4dc6fbb9cfef14388174192cac7d146d22f0b9df10cf301a0

SHA512
c6c7740680f3245c969ff3731bc88613609402243110a7fb39cbc766510c8b9ca69aaf6f6448c2b25ea9279bf3a56c1cdaafc11d683f4cfdd62f04d3af601358

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.7MB

MD5
60d20f1854e7d77f03cabe078d98b80f

SHA1
957ac5d9fffb53155ba4ff0a965b6be80a8104ec

SHA256
f55cb7a4c413763c09e37297af16e6baa691ce0c180854d1241ec4eb87583f76

SHA512
6cb0a15d876283b0d82c6c5c492346dcb6c01236364b14534e302d0e6872afad059b130f034ba6fa4c81d572df33933c70915b2f2a1ba5aba9ca04937f84c680

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
7f2b4eb2667b07a6ad3988cd7c6c4c0e

SHA1
fa02e413028c5da9b6726b4b2d97046540ea768c

SHA256
971f12e5ca12a3ea10bb1d395945e2097502cf383b1d729d02b1cbaf5c828390

SHA512
56e3ff2ed5b36a664efb775d49f1f352eae546e48fdc0a3782cd9edb802dca41e7572dcfdcf95ee316f5915139f2876d407bdf1c85de2802f56b418bdc7422cf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
b9784f466fd58d3ee9475fb64293e570

SHA1
07ef96ae9f34fe858e0b69627a3a76a12c33285b

SHA256
0c32a04012ffbbb6f3dd1c79c00d0c8c401a142ae12f13bf7076ceb450220499

SHA512
63ee5d7de0390798c77a976dec28bbfa5a1cf6bfe504dc1298d40427f1aa794ff16c499719ed59f613c2104948ffa4458eedfdfee39594af83adfa726aed81b9

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\9921d4bd-5d92-4ae0-b994-cbcd65584b50.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
89f55681cd116518c116754e0407b2c8

SHA1
f5d4aeb85e94ba181091d6a1ebca93915919c9c6

SHA256
f36101d056932eba1217b54d3ee1c54e0c6c4120087bf1e1e0781625d2be6fc9

SHA512
8db0dc249a77703508e63c8314af4bddcf54ac4f887b26409f743b344b94f9afe762d266cbac8b8097ffb28870d40841c7f64ed60acd087dbc1768db15b1c0cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
44a8f4b3d5ac1d28bacb2356b3e16541

SHA1
8222a8aa3814044b50084f54b5117d95978365d9

SHA256
9d94eec7101a6fac6bf8f001b736d805471443ee7dc038dd9c1a151c4ceffbd6

SHA512
c788492a62649762dcae2d17f64112a6eb86e5a2dc9fd3974935446e83611d1ba48d3f8c71b5bce4152ea3b8814176c12e412319e234f360d9a7c1b22ef299dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
49b4b4abc0a117f46b503153ee635043

SHA1
630230e0f81d67dd1ad4f79fa0f984e2ef8243b9

SHA256
29557cf07447a191b8451ae3262faf093c22af5f0457e3b65c9dcb0cf16957f6

SHA512
e4351d86d78fc9230c91e3075053a2faa37f5f69dbd89104efca17d9ab4eec326e4ad0bc9586cb5339fdfb67baf07d6c67d1788f6becba7148bbfc57d3149914

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
153fe4e53b4339e51a12aa984df99a35

SHA1
819dca96c7f67204df9c821076352582c172dfd7

SHA256
1ae2f92369508b2d873e695e777db7110a5ad1f24daac5d5e17134e7eff78a24

SHA512
4f408f1d1eb96ec945e85d22a430b8ca5c822daf187bec02466fbc83c889da9af0aceadd8b8101ca3469a550e74475bdcfa611e505ab2d754e02642247893ca7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe577995.TMP
Filesize
2KB

MD5
8e5632bb5baca5f24f88c9e2a8eb2b6d

SHA1
71f7dee86640b602595b40c6a65d7ed4498cf00d

SHA256
88575950e262396bd009db3c75b18b3a1cd44b7b869b90f9b2c961ce9b74c1ad

SHA512
def476d83ba944f2fe83839108072677672a230218192751dd5e37305d42816e2db59b6f368fe8d3ca8848542ac3e3732dea3a58187c1e14f372ff2f721dffcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
52c0a1205f62c5db38dd0456b6ee4c7b

SHA1
7ac1c418998629c1d754c9354affd0b4acd22b29

SHA256
ce3097efe7fdfec0984d80e68a3a07735e1d37385322707a4278721136a08eb1

SHA512
9ceed29500769cc5cb6780e4483c8af52b7437769ccccab2c2620786d83624d69703926ec71a898e00922e794b5e223ab8ce0bbff273395062392537f40c133f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
c0eabff2cc25079723db5b77bfe9085a

SHA1
88202d9d7e4d21e3b7997f1cd9d5d952dc188360

SHA256
abdd6da7a5d7e81e096eaf82bfd4e0ab265a662057130dc018a54030d2224a3b

SHA512
e4cf048323ab1a6a3887d3b6d17c225785cb04855d907fb78f1bf8857685bd11b3f19b86e19ec0bc74d5d4bb9fa1cb0cb95a584ea2383a8780768f90e0aca8bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
262KB

MD5
d26183de54c0c816925848a07301abc1

SHA1
37b344c49a37ede733a03d07868119d5cd6285cc

SHA256
ba28e918ce44cb4aae2b60e9c119cd188356c7f243c62b760fe3416c836ce9ac

SHA512
fa93ff570295c7aaed91dd7fff61a3d1616de5b7536969ff0692d399bc756d8bceefd30e28d9379c984fd0dfc573ec5bf3f9ce5e7b259ec96e30b6b56bd1a213

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
262KB

MD5
0cd9e686790628acabbd3ac9d5cbd6ee

SHA1
3744593f72adf8ffac1b9f618c7897dcff5d379c

SHA256
461cb9161ac6a9e0a8ebf3a26bccf5ef4e4e4a383dd54a9bb1b26caba011e4fd

SHA512
e1189e932515767a3161cafa5b42b80a42ad34c4359539bb69a950d4ff35736a625533d86285b1d6775ed3829f75d7532eae02bc68e51527112721a39c897088

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
282KB

MD5
36e4c00f10ac481c7d2347f822108793

SHA1
1c3ec4d0bdb7c7f30fd45a6aac3bae011c5b4f6c

SHA256
28167b6f70296d38027950659fbf479ccb4191105dfe62740b0f145722967364

SHA512
4e1de73c8ddb93379556c724f13c52adb06b95012d35af90e9942eeac83de70a85109df7ea71cae836a1d2a95ee645028475eb8966bc841de508a78bae3372be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
91KB

MD5
f6c375ff7b05f29e351ef1d9e7eacc0d

SHA1
c01433db0a9d6083f1ddf93ea197b94c3009ce15

SHA256
fdff3ac59ebd3d741dfef77f8c98446ede940b81728d7fa70ad0b15c63635912

SHA512
7c28dba63b1b119ea6efab3088838b71257d70d0dbd182bbaf174a01abb675106404604fb0b3388b98a2c0e4947960fb47f6e6c7a3dddbde67a14bc83213beaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57ef03.TMP
Filesize
88KB

MD5
12cb0ab81ff24b822381934d112fea03

SHA1
c38d28b7d8e1621676d46f829670e847c8ffc14d

SHA256
96b3c69f660da51801bbc845c6f445aa8cde506ea602e6c0654fa0c25f29d518

SHA512
993c4ac996315ea80fdc07d2a6ec5511d2fb7e4483d195346325730c24229869ca71ea607bb9ffcdefdb8708db3239a720586b71addee83928ad90a1e18323b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
f0eeec3afde24596121cda38931ab7d2

SHA1
0db40649f62fa64cb4771a4ff6bc0c7a1324e310

SHA256
6305b2f5b555a5c1e91770eaf82c7677afe76f70d40cfb2beafff2ca5be978fc

SHA512
a01bca29a061d07d1faa72d21056deaf4c7ffeda42e7ab10e97e0b11146f3d9d09aeaa5fad36ed57881a18d1ec419ff3e50c122d52c9fab9ce12101be36817d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
98426ba5dfa1c6b7c54b1bf8bfec33ca

SHA1
fe02c9b06108160d66211729741fb404b6a078f8

SHA256
4734d9f6cc33ddfdba9da9ca562839ca1c4310cfb7cdfc117efc7add392c950e

SHA512
28ee180186608cc29b0571284aa88c7dfcf8967a28658f0511443e4045fedf3aa11f14133c605b3293c3e6d2543c4a53af2b222e48c2e0971fa80b7b1cbf5e27

Download Submit
C:\Users\Admin\AppData\Roaming\b3a42c29c8648821.bin
Filesize
12KB

MD5
859110e5ce9a78039b22988270b2dd9e

SHA1
e5adda9068cfbf6fbb4c4c9f55cd62f34e37a6d3

SHA256
dcae54469f484daf6edb7ee2eefb061d23c950ea8b6dcf1a46bdd0e935165eb3

SHA512
609a1203c7788331568ead4f035e16fbbf393b37ed1bf5c9e4b4fa4202ef0f06237d258afac4c5b7c98964ebe4c60d58c3999c6cd81c44fcbc91d3e311b5cdcd

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.4MB

MD5
438063f7253c3416bde00d28d67e7d1b

SHA1
57718e12e92e49d0d53870f7f4dd3786674ecf35

SHA256
2ad22378c818f03fbf30a9da7059d061f8bb3d8924d41a44539c1d619e5fbec6

SHA512
8588c8002e704cc3e930e1a8aff470ce83cc30077a447e9246e9658f793d49b433440e31e5ed8c26d94cab6b86997e4d5870e0d571909da9a6a17900c6813bf2

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
c4348a57085137727da0fb00739ba55d

SHA1
856bfee76f8f42506ef406472f218ed6bd0160f0

SHA256
a313b28b044ae53cd2c60cd9e8962aba96bc7c7a9594fad3829a3a84fecc5369

SHA512
c8faf6f8d6e30c3a5f055116ace8a0ff956b70ad06f2ba4f3307b7f6c44256baa74153f7324381dc6c548dea3c85aa21e26f5eae8255765673d3359a473507e9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
25e78dffa111150c2dad39d9b68004db

SHA1
7c0a2ce777140dd31c68bc1784922d0c3bdb8e46

SHA256
2e864e8c50bf805e55b60d0cc0d687032f76e52bc3072fa213e42fdc03b4ceb7

SHA512
bde9163bad9b2ebc1c7384ea5ef26b8daa31f20da89b0f3eb80519e8bd70dac0f9cbfc69d7ff71582b9edde75c784fa3958c4f48e07f123791bdebc113ee4579

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
5673e91d71466c4b1b596a5e36ff3e8b

SHA1
eee904f6da255ba5ff6711d53d27328a69d2cf6a

SHA256
adf88a17c3220020c18407b4082d9f0533fdc7582413fa5515a46a876e10be8e

SHA512
106aa716bdcfbd4ff46bcc15bd52956dd5958324e111ad87b0d93f4751e60d652b8d4badbaa26073b272200c0e881fd49c4354d55cc2f145ad4cd0f1b2adaf17

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
fd50dabcff609c03c7105101d3f4a292

SHA1
82f69f17c594f67baa626468907ef7856acfb6ed

SHA256
6e7453f8e536026b7cf2cb148fe043d03ccfa4463e2ff444e7e177f0bbea425a

SHA512
8766d2e7c412eed247336ce670dffa47d1cddfa6650438fcc5aa94c17ced344e6128cbc36c3019445f7ae92becf91a58bca21f8b3e3d0836c5b4dcdeaab62838

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
b20eac845a752b2b59149a6a0f752044

SHA1
4d28366d5699285ed47048955f7fa5f1db549425

SHA256
2bf25957fcf5792e9faa1c95652d4acd325f646cb7966399c4443bb48f4856e0

SHA512
cc21f1ecfa0368f6a7049fbc9ffa7621f4b2e1d587da10a074c6740e01904fb2375d01bd77bf8ecd14f837e08f405e951f8e123e686f409520b29e32f90b48fe

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.5MB

MD5
a1c29e5188bf170f17f634214f07d285

SHA1
636e0a56f0edf757863b5a68d35c256fa797bfc2

SHA256
dfa5b61a3e2b09e2736c284b25e7d6b44ff665e74956d1ee394e5b3831c45a33

SHA512
c68d3494e6792114548cda0dbfb750db353f70492f519e9707271ea717fe00c2acf3f681ebe0a1d54363af6d177b18e4df4238d9641779da8f9bfa84d59efdd1

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
33b0391c95f48f0f1bf0ed0ca0831f98

SHA1
3dfe5551f005d5b4b3933b0ac8f6810693301485

SHA256
70d358daf0c53f9ae800c20e29cde814815808211de2cd3a5d79e50972beca03

SHA512
fcebcea49020255eb150770660f612a8318135b7af48eb499e0510b8e8786714fb67d1deddbd1db4024b4c0186a2a4a786b18086ae2c9695c17e3cf643025f67

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
c5c350f124393469f400e3cbd3ee9e08

SHA1
dca21c1be17c49bdd5c969a60834d25f830d5665

SHA256
1b8e2ae3b681bceb15be7c6a49b568ba5b0257d66657ac0cbabe1e2740fa77ed

SHA512
9068ae23c7f5db06e163c855428f512880924f48decc27a7fdc4915bfb3aac1a31326368441ed8f5709d4fbd13555bfb77b32bc4f26c697fa24f18b46532cee4

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
fdb98503326592d7eb57ef77d9b3e670

SHA1
9bd90d6cf1cf2999b1101cdefd47d0bf0a430014

SHA256
26ffff5c5e3107a40ac03aba14ced2701a7049f677deaf30abc314fde2297a34

SHA512
521365cc5100fa2b1e797850712c70885fc0b47a2d851fc564c933a58a1135ebadedcd03e6cac31e8c0a6b65154d06332ca18d1017201623691ce4be0afb9f51

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.7MB

MD5
26009581581bfa84639b9abdf2b7c497

SHA1
7a8aad2126425b9aa503d7d6f27f9104ec72a8ec

SHA256
19f976a2eb7132b49b7afde8e3448c4d7fbe9142b3c1cd5f018f41b57450c830

SHA512
cd013f7f3de77ea7543d3186c584b072b3630a560ebe0ab2b69b45fdf7ac4048c827aea7cc959c3c846f17cad3de4eadd7001fb2c097a0cc5f6842e830d3a8c3

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
f0b3e17b8e427857cd6dc25a829b0ffb

SHA1
663e40ca0cb632e44f9247df47c25859d11cd4c2

SHA256
1cbf1829ef4e99f7936d127ae25e01049969a8c1dc78862c82d632fd6568fb42

SHA512
c7e895fc7f500b645401d9a675d8604338cf08ce972c6084cf6247643977dbbb6d946d91e2db7063d8987f61689b6df2a7016fb7b30bc8c7e107298438a5e52c

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
7246ec2cee75edeae1284d26afe577ff

SHA1
e2281d00c816701a1509fa7c29477723bfc66c44

SHA256
cb706b656327f12941ce2aea41c6cdde63fe441522a865c6ee112af9d6b73342

SHA512
74f55bb980186b7d598e17600705c1998eb4a5df25215101e156250d9212367bbae2a5eb4bc5310675ea380b8aba4495a92c550833385c2438f557197e7da196

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
24ba2a126a69ef7fdf0837d2324c63e1

SHA1
3b7469b4b276c6019121eea9f51947fbd6660341

SHA256
e6e91fa2a6e203bdc3f569f9c00220d220350f7ec9b873aa114932ebbf37c278

SHA512
9df1f7588df135d0ca3dcb2dc5408f5a4e3d2a9a1ed48350eb2831e4e4befae14a07b74eb9d0e0bdbbc8dc30b586f15af7463cb361c23d6c3ab162f8130bce41

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.4MB

MD5
b79b0c1eb8fcbadb4f40d45fb5862c55

SHA1
e4077949bb3f33e29da3ad2b594bacd79507e16c

SHA256
ef0e65624c152db5fb88711502956fa52874b3c0529b7dfab7d3bf9eb296d6d4

SHA512
83f724774350b0e0df197762ba74657247dfc769c147afe37669ac19e99f30e9570f657143e66734984ab2700e1afb63472488d3ea56b3ae32c45630a3978b09

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
c722958f2b883eeb76b88d69ee190382

SHA1
54c8e767024865fc4d8941291f3c1453e4697c91

SHA256
91b2d6b0690315ef927c551f91d7cd7ef66002018d9efae3e8576fe716447cc5

SHA512
a5e2801780b7f66d0b9aefd79733b36d99958a0f1da048147a670f0ed1e8f8b7a43769028d8fa0b1ffcec60b86cedbcfb8acb3b1fd38731c51bd2c24ad6556e1

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.6MB

MD5
539db24b25dd7b956bee517359107a34

SHA1
39205f752577d33434f96ce049436cb7f90c9365

SHA256
0174d17bd186e424263572b7b590dbc34432c743cc23e26dca0e4f834f53a683

SHA512
9822aabb82c09d1e63f0dd738212a512f16ba7e90c7d2783824509597f9f76b8c4c004b1c8a27c022db5c3374fa0d38364a88dbe7810e16ae0ded762c10393c9

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
d699f36651f541095f00915c85566663

SHA1
fd5a1e46adc4c899e6bb1e03f5565fe7302df5d1

SHA256
0c6306ceb1666b1ae290031ce4a8cfb4b8d4dcb35204b00776026ec77f2e977a

SHA512
c0ab77066aa8679dd707e379dbc05e49358a805e77db02541c9b8afc014e4c6fe799967c8d4f4e1f5ca5c9a8f490c9d4b710f301685ec64af56e5f1ef9373c99

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
63c24fafa38c1b0109d7b33c1be0d22e

SHA1
9b3ae6d17378fa094069f9aef62df034089e3083

SHA256
5928caa89b1d2b710b06e2032deeeb129c5844abc95bb506a96a2181663fdb20

SHA512
1387ef7a3e1e729ec2d22463f44463c5645c772a8336127bbbc7532923abb04b62bbfadf10c12c2f6b50d1ffb567ae4059efe192f3fc0ffdd90ff0cafaacb6b0

Download Submit
\??\pipe\crashpad_1192_OOCKKCLXSDFKNCZN
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/884-288-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/884-608-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1052-286-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1052-282-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1344-202-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1344-591-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1656-607-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1656-271-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1672-148-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1680-332-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1680-725-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1992-218-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1992-588-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2128-262-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2128-101-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2128-88-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2128-82-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2168-215-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2168-532-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2772-78-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2772-100-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2772-189-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2772-72-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2856-185-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3284-249-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3284-597-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3360-28-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3360-34-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3360-210-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3360-41-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3844-160-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3844-300-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3876-0-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/3876-36-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3876-9-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/3876-23-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/3876-8-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3916-108-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3916-102-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3916-92-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4396-54-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4396-45-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4396-53-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4424-130-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4560-321-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4560-724-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4688-67-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4688-58-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4688-64-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4688-70-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4688-68-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4692-167-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4692-312-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4740-301-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4740-673-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4772-12-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4772-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4772-21-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4772-201-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5212-730-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5212-344-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download