6047152ba0513ce2fb8801f7479411dc8fdfa983086d4c0e3a917ff76db72f58

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
Size

5.5MB
MD5

ab5e179169bfa4ca70f17c359e88279b
SHA1

4ead072ea41459c0c6c5bb80e0662c27c12610a8
SHA256

6047152ba0513ce2fb8801f7479411dc8fdfa983086d4c0e3a917ff76db72f58
SHA512

3d2a70acd3650b6decf2e85c10e4bc29c68edd343c8c455dcdae79a3c2b25ac3a859fb0aa4cb5dfca6a5efa1e2be4c1c6f8bd040c6fde0c29e1b1650b6ea87a0
SSDEEP

49152:qEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfu:AAI5pAdVJn9tbnR1VgBVmFTjYvH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
2420	alg.exe
3060	DiagnosticsHub.StandardCollector.Service.exe
3944	fxssvc.exe
4968	elevation_service.exe
1148	elevation_service.exe
1540	maintenanceservice.exe
1040	msdtc.exe
860	OSE.EXE
1264	PerceptionSimulationService.exe
3380	perfhost.exe
1648	locator.exe
2180	SensorDataService.exe
2052	snmptrap.exe
1876	spectrum.exe
4588	ssh-agent.exe
4544	TieringEngineService.exe
4448	AgentService.exe
4504	vds.exe
1848	vssvc.exe
4828	wbengine.exe
2484	WmiApSrv.exe
4680	SearchIndexer.exe
5812	chrmstp.exe
5908	chrmstp.exe
6008	chrmstp.exe
6108	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exemsdtc.exe2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b1bb2f37c3136770.bin	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaw.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaws.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

fxssvc.exeSearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exechrome.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004dc0c7dbeaadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000726368dbeaadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004785ccdbeaadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000519f20d9eaadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000085e7cedbeaadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000074b5f5d8eaadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610363107564889"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef9aa1dbeaadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fdbf2ddaeaadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid process

3748 chrome.exe
3748 chrome.exe
3748 chrome.exe
3748 chrome.exe
6016 chrome.exe
6016 chrome.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

3748 chrome.exe
3748 chrome.exe
3748 chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

pid	process
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
6016	chrome.exe
6016	chrome.exe

pid	process
656
656

pid	process
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1544	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
Token: SeTakeOwnershipPrivilege	5076	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
Token: SeAuditPrivilege	3944	fxssvc.exe
Token: SeRestorePrivilege	4544	TieringEngineService.exe
Token: SeManageVolumePrivilege	4544	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4448	AgentService.exe
Token: SeBackupPrivilege	1848	vssvc.exe
Token: SeRestorePrivilege	1848	vssvc.exe
Token: SeAuditPrivilege	1848	vssvc.exe
Token: SeBackupPrivilege	4828	wbengine.exe
Token: SeRestorePrivilege	4828	wbengine.exe
Token: SeSecurityPrivilege	4828	wbengine.exe
Token: 33	4680	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4680	SearchIndexer.exe
Token: SeShutdownPrivilege	3748	chrome.exe
Token: SeCreatePagefilePrivilege	3748	chrome.exe
Token: SeShutdownPrivilege	3748	chrome.exe
Token: SeCreatePagefilePrivilege	3748	chrome.exe
Token: SeShutdownPrivilege	3748	chrome.exe
Token: SeCreatePagefilePrivilege	3748	chrome.exe
Token: SeShutdownPrivilege	3748	chrome.exe
Token: SeCreatePagefilePrivilege	3748	chrome.exe
Token: SeShutdownPrivilege	3748	chrome.exe
Token: SeCreatePagefilePrivilege	3748	chrome.exe
Token: SeShutdownPrivilege	3748	chrome.exe
Token: SeCreatePagefilePrivilege	3748	chrome.exe
Token: SeShutdownPrivilege	3748	chrome.exe
Token: SeCreatePagefilePrivilege	3748	chrome.exe
Token: SeShutdownPrivilege	3748	chrome.exe
Token: SeCreatePagefilePrivilege	3748	chrome.exe
Token: SeShutdownPrivilege	3748	chrome.exe
Token: SeCreatePagefilePrivilege	3748	chrome.exe
Token: SeShutdownPrivilege	3748	chrome.exe
Token: SeCreatePagefilePrivilege	3748	chrome.exe
Token: SeShutdownPrivilege	3748	chrome.exe
Token: SeCreatePagefilePrivilege	3748	chrome.exe
Token: SeShutdownPrivilege	3748	chrome.exe
Token: SeCreatePagefilePrivilege	3748	chrome.exe
Token: SeShutdownPrivilege	3748	chrome.exe
Token: SeCreatePagefilePrivilege	3748	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

3748 chrome.exe
3748 chrome.exe
3748 chrome.exe
6008 chrmstp.exe

pid	process
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
6008	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exechrome.exe

description	pid	process	target process
PID 1544 wrote to memory of 5076	1544	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
PID 1544 wrote to memory of 5076	1544	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
PID 1544 wrote to memory of 3748	1544	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe	chrome.exe
PID 1544 wrote to memory of 3748	1544	2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe	chrome.exe
PID 3748 wrote to memory of 4732	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 4732	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 2244	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 2244	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 2244	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 2244	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 2244	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 2244	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 2244	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 2244	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 2244	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 2244	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 2244	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 2244	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 2244	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 2244	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 2244	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 2244	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 2244	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 2244	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 2244	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 2244	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 2244	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 2244	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 2244	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 2244	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 2244	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 2244	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 2244	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 2244	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 2244	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 2244	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 2244	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 4108	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 4108	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 1692	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 1692	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 1692	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 1692	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 1692	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 1692	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 1692	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 1692	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 1692	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 1692	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 1692	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 1692	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 1692	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 1692	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 1692	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 1692	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 1692	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 1692	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 1692	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 1692	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 1692	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 1692	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 1692	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 1692	3748	chrome.exe	chrome.exe
PID 3748 wrote to memory of 1692	3748	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544

C:\Users\Admin\AppData\Local\Temp\2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_ab5e179169bfa4ca70f17c359e88279b_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcaaf0ab58,0x7ffcaaf0ab68,0x7ffcaaf0ab78
3⤵
PID:4732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1920,i,17108145865502722814,3568939592507028657,131072 /prefetch:2
3⤵
PID:2244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1920,i,17108145865502722814,3568939592507028657,131072 /prefetch:8
3⤵
PID:4108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1920,i,17108145865502722814,3568939592507028657,131072 /prefetch:8
3⤵
PID:1692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3084 --field-trial-handle=1920,i,17108145865502722814,3568939592507028657,131072 /prefetch:1
3⤵
PID:2864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3116 --field-trial-handle=1920,i,17108145865502722814,3568939592507028657,131072 /prefetch:1
3⤵
PID:4600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4312 --field-trial-handle=1920,i,17108145865502722814,3568939592507028657,131072 /prefetch:1
3⤵
PID:2240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4448 --field-trial-handle=1920,i,17108145865502722814,3568939592507028657,131072 /prefetch:8
3⤵
PID:5160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3816 --field-trial-handle=1920,i,17108145865502722814,3568939592507028657,131072 /prefetch:8
3⤵
PID:5176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4836 --field-trial-handle=1920,i,17108145865502722814,3568939592507028657,131072 /prefetch:8
3⤵
PID:5688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 --field-trial-handle=1920,i,17108145865502722814,3568939592507028657,131072 /prefetch:8
3⤵
PID:5724

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:5812

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x268,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:5908

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:6008

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:6108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4592 --field-trial-handle=1920,i,17108145865502722814,3568939592507028657,131072 /prefetch:8
3⤵
PID:6040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 --field-trial-handle=1920,i,17108145865502722814,3568939592507028657,131072 /prefetch:8
3⤵
PID:4892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4640 --field-trial-handle=1920,i,17108145865502722814,3568939592507028657,131072 /prefetch:8
3⤵
PID:5160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 --field-trial-handle=1920,i,17108145865502722814,3568939592507028657,131072 /prefetch:8
3⤵
PID:6060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2424 --field-trial-handle=1920,i,17108145865502722814,3568939592507028657,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6016

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2420

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4008

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3944

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4968

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1148

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1540

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1040

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:860

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1264

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3380

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1648

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2180

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2052

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1876

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3988

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4448

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4504

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2484

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5272

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5500

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
646038ca9202e3734f770f49f3c495a6

SHA1
aa50e518beb83a8a070d04343ad26b006a060664

SHA256
3874a352fe82d32c0c49ede941df300099b3030c06e6c7c476db7833cf99f0ae

SHA512
0db10675bf9ad59558435ba40e005b9e453817f0d726a4a9a584d9725674422e9962711b6f374ae2b3bf5fc0c9d276c478f7a21a3cfb90a45fbc9263c7c16e76

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.5MB

MD5
22fc042d6a1b5e49c4aaf90a86ce2397

SHA1
66ced16fe97c9bf510e195c95d70c3ea6def8d45

SHA256
7fac19add9b9c751a2435268927a3f67558f6e60ac5399f9b445e264fcc7f85e

SHA512
cb6436ad342735e5d2f7f79f15d0f09ee6c056efaa6b7ab3173251efedb6239b6ab91e8a083fadb5901dc99baba4841266b259e6027d8ee80816b97aeb65d51a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.5MB

MD5
5d0375c49baa9a3ba5f0285aed305d5c

SHA1
9906768bfbdcb87f0cb59fabf12d698850ec77a6

SHA256
9ef3ae3ae2e0ae3846425032ea12bc9fc34a9c6d1c54bac35d78e5398024b29d

SHA512
8714af91a30bc8cfc27bfb4e13853981dd4541a69796a3b7a60f671323a0a6c2aedb34bd736b700dad886bbc3a1d7eab75925f241264a9d551f480d6dba34ff3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
4a3aea87c90abbb8e49eecfd0e752d2c

SHA1
275ad813ea4f31908606d11a51764b319b4cb448

SHA256
21bd61c0cf2a3c25721669b65a8a982352d4983ab27af224b5f30a84a2e2ffff

SHA512
dcc11d53e26314a5834396a74e10edeeecfaaef01fb7dd50fde571ca741b78664cef062d74d1ccfbcdf54633d8100ef340c5d7ff50fdf986a2bd717b6a66e3b2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
1f6550bc4d3eec90eab03cce91275545

SHA1
e42a712b8e3e945509123defb5375b9931604fa6

SHA256
567b0ca98e9e8ef12f2c307ac3cb89443f7fdc8809ba21020f20a31e0255a95b

SHA512
07e63e6da5c5bf52b10389377d0b5afaa3e93bf771ac9ccd0db1e12da355ca5490d69f4686bb37f2435dc83860a7f93e7ab96cb0e719d61214c5c8fa6a29e811

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\e074467e-ce9e-4332-9f60-c4ed36d76fe5.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
757f9692a70d6d6f226ba652bbcffe53

SHA1
771e76fc92d2bf676b3c8e3459ab1a2a1257ff5b

SHA256
d0c09cff1833071e93cda9a4b8141a154dba5964db2c6d773ea98625860d13ad

SHA512
79580dd7eb264967e0f97d0676ba2fcf0c99943681cad40e657e8e246df1b956f6daeb4585c5913ca3a93fdfd768933730a9a97a9018efa33c829ab1dea7a150

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
3b3b548cb18e8108a1807fb4acd9ba7c

SHA1
636e7f8fa50b60d6e239e87cd5edf9f9403eecb6

SHA256
fcfd3c6d771831c78925cbb32c0d4da3835c1672bdfb73c3c36aac0eb44d0fbe

SHA512
c9e0f1e4fec68987a9900c1530af22d9107963fc9691d56031f9b02037c1cd99c8a8bab8df2a8f732dee79f111b0438dc0ed24d508230f7c6715580d95c21cfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
354B

MD5
7318fb4a8c3bd7626be08a9b702ee290

SHA1
5d7e87fa58bd57f002a9132b4768ac3eaafa699c

SHA256
4338ca819aadb89fc4b7c57e41dad53b021a60f447981b156bdc4805fc88df15

SHA512
8ad4848d793230ac7fc32ef031e2004bb942efbec3120f1ef26b4eb5c8bf980a22fb2e838821ead945adb0d8dab96a4a6cd9d4399417c7ec08e310965ffbf8cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
c796f1408860fb3f00b5030455cd2c92

SHA1
1c062d615c1b7b12003c1a288b7e2592ab1c8d7d

SHA256
f9ef4944498297476151e0b0a72eb1272cec75a19a7a683147538d7a8a9e0249

SHA512
bb839b69c4fbc47eb2016943b53fec2e043853da3bc2f2936b4d54e1b32efa1c27487e71610f0db8250dd3acef0db68698aa2be8e062dc994b37ccf0ed06fdc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe578434.TMP
Filesize
2KB

MD5
6c38709f2b92b4197d45f6df3df81cb9

SHA1
92d1adb3512f085dba8c03ea68d926704ebbbda3

SHA256
d5bb9e1c53b6d6dd67dcfdf3963d7d8b0dd3094ce6a86851e8b8ab7d3d6f235a

SHA512
3cc01f22a75c283dd55a4fc9b02211776bc1246ae7787ffeee21a25d0ea8ddaafbb70cbe8d0976356fcff59c9be8e9c178c15264d2a44df3653bb1e03fe41bf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
d6ec8c5ac2740f55468635617d86a521

SHA1
1c462678da0846b7951690bd2aaa34ec0af7ed53

SHA256
538dd51b8f13e68b2269f423dc2606e850b447b1f6549878d2801e99e79a7e7f

SHA512
9173cbcf4c017744a91eea7c5d465a264c220b5cd1c6d122c1d87df862a022f55a55cf695b71bcd55b28ab5810838f1443177993ed4ced64f492ef33d5c73848

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
a0c376f0cf41b604258baf2813037d86

SHA1
669a8b062d72278938e1fe20626deedd6f3c18ee

SHA256
2a0a0a478ce03dac00949576493b673ecc6567f867850e4dc9324b550b042dbd

SHA512
e6c1ae81915f6a790b03e7e8024820cf651fd06f92d0a7c4e84100938b1698ceb266b9df8a3740cdff9079eff64eea781c580144e57e606ec5bf89c3cbe7f24d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
262KB

MD5
9247ae77a17c28c22dcebbc79ee177b5

SHA1
ffe6394db103df4561ba0c04cc82ae2bb9f5083b

SHA256
eddf371f9c901ce3ef437d14510e00b6f2e7a1b24fba22a201a13dd2cfdbaa4e

SHA512
55dd7452ba7fe06934c390d3c16c4b1178d270bf898a84dbdbaa56afe8d84a208c62b325d80f8bf60e56328bf6d31bb9c2f36a192c6b3e40fd59daea553875ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
262KB

MD5
888a804976a731cc715a425ced5635c7

SHA1
97ed3b1123de0d55a31f67d7821e09bbb50a0458

SHA256
93cec2dc91bf8fc4d7a013f4596f95c2f582a939b0e5f888815b368deabf1226

SHA512
0a6149f2defc2d3937366af9c1171d2cf71a429e5f5e312ecdae007d9b59373f9084f2bf98bcec01736171cb62eb2ff5caf10f93c11c3fa68c8bc472624fe5e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
282KB

MD5
a8a7cee30ae5d7bcf69049ec8345a5bd

SHA1
91a0b67f71578986e87895b40a90258af237078b

SHA256
048f3278525eb99b5529a4248cbb7f9ca1cb9292bef3ebde3f3fbe00d4dab404

SHA512
f21f14ec54960f0b3e046b2aebadd5e002e8895729e74624b5f58127588a006ec0fc28b0c0a1e7a7f2b01d49674ff859df226b3494b6dbe09896a87a7fc82daf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
91KB

MD5
3b312bad932eb20b9e772fc06a058fe2

SHA1
791b9df78681122d9a466b8422c644fc6786f11b

SHA256
799d20ca2dd66e081ec165474db04c3fddaf08c929e7526a6fe1fc758270a8cd

SHA512
f3fc8024018531e3ff3c7d44aa6c5147f87eb86d796a35eb43f979bb9363131b9cd8b68f74be44da6b792099f0b0ece05068d4aa912a3e8e706e72f7d88d1d7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57f983.TMP
Filesize
88KB

MD5
3a9e255b8d843bd27a941fb623404fdd

SHA1
accf7b7c99bce29704a6f010c5d312da0aa34692

SHA256
d5178a341e4b6fc22d7c5f6f3a67c316afc7095c51ab36e82d5630af05368d97

SHA512
c5cef1404241f77bb837755d6e7c8b94af3e3633b85b0376ed8dbb1ec30938b0f07ea6285e9d7307f1f78d5d46c31c0db7d9d53a66edeb54fb262225803f535d

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
88dd2d1094d4a69aef1ff7c8512beeb3

SHA1
957133e7bfa7caeb96eaa4b5b555da187e59ff65

SHA256
a7c39a9e173563082b2df9f59430481313c42f37b4fee9a5bde3fa02c2d7877b

SHA512
9a37235cd75d6a5a395fde3a2336bfbb6ce63191b3415c8bb2f63c9849fb1056295b78f056a79e0dec9a596016b1129763820462b5b3c48508bba4168a1ca1f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
aedd81fa22ebf528a9cedf3cc7492f03

SHA1
3d6e5efcc9edae1b85db54763dbac701bb92cd38

SHA256
854b88e7f3ad57f746f379b8c70219aeb452497fdc0c6adc72c253dd00b7426a

SHA512
05bc5c77d77e76f2239ea2dff82fd9e8c25c26a8904230e57bc99a3d57087ad518c67fdfcaec04f1f76776dddbe262fb22a3e5563a2bbefacb87b38e0e9f8306

Download Submit
C:\Users\Admin\AppData\Roaming\b1bb2f37c3136770.bin
Filesize
12KB

MD5
0b14934322dcbf22909e6715f18916de

SHA1
9db64ba630deaf44c0a362c40f0473b4b3f86ba0

SHA256
31a0b4a14bd880eaceca838ae0ef8e13a6270f101e6a0b9eaabc999a05a70f98

SHA512
31548eb805baaa21b1b44a97a8ccc7a4f3f46b5bcaaa5e06c0ae77e26c215915a1c252312020e432a8dd4da5de9e0d0434905477c4c488282ecb9b5eec2ee8f5

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.3MB

MD5
35114700e75b7d87cb9fe38d1b368f5c

SHA1
37531d0866b7df51c3bcf79f19154c4314c43f94

SHA256
4eb41e7fd35ad00cf96e9cef29d588784b70e4ada72068aaa7d81316b1716a6a

SHA512
20492967c17dd72bcb62998d42c03070f86a443d38d4e5f4accbd73709764faaba8036b89589a63100f80e4331f09fbeee5a72b2f5f3d9a460ad56c6794fa5e9

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
241c04d70d8c30d744722ffd16419e4a

SHA1
71c2e3c496882397ee671b8b47f37ab9c692ae79

SHA256
78c57b8bbd3eddd818224bd4d8c85a6a51799738171ddaca3d4657cf2074f626

SHA512
4e3269520599ec1e0a9dc43a8ed9f34c3e9201ef5a621d01b71ad1a46a836d8c20c77f22f4459d8afb25b8ff6ca5d687167c0e7b18bab224d2ac678956a36ecb

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
030bf498cb6e72caf97052d3f3396217

SHA1
4cc5c3ac111306cbdb41851361fb912594c7d4a6

SHA256
d4859c48ee5fe9680f8fa9593bb312b4be078eb3fd23566f72022fb0a794ccf8

SHA512
0b76b0fb51f12ffb804f6ee860f8136313d342a0b8154b5ad1fead874fbb28d69024a239668ba95964d6d9e50c3a600ab584d5d40b917520e8b66e09e2ac378f

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
ad8269831600bedce65dec5c326b8597

SHA1
0fd945f082be38e03c2022fa68ee876ed84be71d

SHA256
f44a27e5f5bc050fbb9b9577d0f887980a232cb76bad4d670f49527e6daa5f8e

SHA512
390d16bb2386a81f63934d329a73a1a2c1f5ba0bc322342e311b9d48a1b1e0557079cf91b9f638132586358f17dc70f7b7c6eddf7dff8e1ee82d668a31d35086

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.3MB

MD5
9fb5e314a54700deafad4701c84183d4

SHA1
313b54d0dc9f423e5b9220fff09700fb69ce7ba0

SHA256
46f5b73707c9818540385ec8b2a76a0fd47cbb5d50586898cfc63c3772109cc2

SHA512
423ed10c242aedf0fe4f90ca096a640a6d9fe0784c85f75c720b57ac2d64b9d0e8021e1959a038d044bef2e1df20491e0a7f469498303b9dc7d2224b20bf84ac

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.6MB

MD5
cdb2e224f411c6bff69061098211f588

SHA1
1d988f5e5e8ad12a62f7ee7163441c681a198356

SHA256
afb063a082c0b8c1cca67410b965ad37105457d4e7737d09eea03834788b9980

SHA512
a68182c3d142dc1756c69c30a1464b80d92ab58171d403348f469aa6b157f431335f930f92c4f93d38f1abbe198579159023b0de49441afbbfd3f0eec4224e18

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.4MB

MD5
288709c15a303abcc48c8b6dd22500d3

SHA1
6a58673229b158266b65640f8ffefc4802550f5f

SHA256
65709c75a1fb20ce61c2147ffc9c80e1be31a111dc07512b12f73f40a9b9d31c

SHA512
71a1e4fe3cc3fe3572ff89f92ec3e86d15f2376290aecd1cf46688f93056c7808ac98b15973d666581f898689eba232c09f96c50514382473fed12807004f471

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
c376141558b7b7ceb223fa82e211d8f7

SHA1
be434747fd96a2dd726c3d12c5a6446bc5732b59

SHA256
5fc1c8955fc4b405d7b594193842e9873733aa8ae701a6eb27b52b9f5a36a856

SHA512
df7694b3236eb08a876ac304f8a4ef12ff0184a58782826adfd90df5e2a43eee776d44bbd5c7d724bb765ced47abdbbe9a9735f5adb66ef0c412ecb7380b7b62

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
390a379b328c392666c52698c2cad78f

SHA1
78f8c7cf9755fb47120d60ad29ed8b790c81b756

SHA256
666ac72bcbe442087a986d0d865dea30f204bcba89f919a76cb9d4616229610f

SHA512
e2bfdce5bcf040ff4fdd944eac974a615d1bd8e1c84a993ed51a19e9cff6d2fd29c5ad8974ba7073594c507e8f911780ca77baece424a90de7be016e826c34d0

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
9d886a6e35345658f131c0cea992a0d2

SHA1
235df7567dd6918d3af5f35d2ccac90ca404e016

SHA256
891a7ce64498363bf5ff2d72c100bd95de04238ba750520bb9d606cbad3a4878

SHA512
ebaade6e12637db3458042111903296d2f498d6a5ccb539f6558d056634107a35434168a667d64deca3c6f81b1eb90a61016635572457bd8380e8e6607f768cc

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.6MB

MD5
87ccaa88381562b5edeca91e78fb1826

SHA1
335eb1328782d360244de19947a10b01ff6dd81a

SHA256
5ed8a52e3f365b9a446cb18ee1ff9095bcf051ed308b5a801c9c54c674f39ada

SHA512
e63f18d6963e6571b260de2335d6a26547364a4fbeec11ffcaf614bba5ca9e39475d998216fb16afd5937d8cbedd5ecf9a006d61e558673b90f1fc378c4e0914

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
eeec6e8b2d86cd1cca37c456717bf957

SHA1
f594a84ba78b9b2f7428b356d4bb46bc1bbef8c5

SHA256
f1874669834bd7624b79cdb1f319ef00e396b43ee7d0a55ed8167c833139e160

SHA512
c4d54f6e5a9488b7a8caf47b38d1502ec0b2b526316533fc227cef8434cbc61af6dc0defb450171d398a124af051e1e8dfd7f294f4c3a512ce75d56701da5139

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
2cf11107b61f1c6e916f6e61b70acd46

SHA1
90ea1681ce596d0620c0a8eb425de35c589280bc

SHA256
129cadfe41ee40bdaa0d30ca01dc46a7294321e5543d7f7bb5f4a65be2abc31c

SHA512
f2681c9e965164e04dda2c76c2e6d651cccc457e7b5de15183e833e7c51ddec0964d770cb4ef74272771167e886936555609227df8ddf4cb87eda1aa5bb9b3bb

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.4MB

MD5
be21135b662f6f1c44c6684f801146d0

SHA1
7231d7e1d874ccaf6caa17da19de08cb1fad003e

SHA256
e617adc6a881eba32c4b8c25ea465a2256dea107a053461e50e5c673b5f624b0

SHA512
8b5bef32b0fa75c96bb006cac69db4bd70b840d343f7e3c70cac939f81803d7829b510a9aa0b5f67ce74900d1a8a60642980ce51dd7226c84e73359892589536

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.3MB

MD5
7d26051a3629cee6cf66cc21141b0758

SHA1
c453545740c0879a4f397fb81cf7160ec7f1d436

SHA256
35c3ee29eae914fdcfba9ab0d2a6a67e84529cee3dfb5a896df3db0e7406743c

SHA512
e2613774a7bda651654e8ffc44f8d7da3eea2991381916571ddf599f50d98e92bd1e1d3df0567a5a5fa6bf4fc193b19a1efc74d6679e8695129fa27e4e8c35c8

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
5c8fd0a5848b00c4b8e19c9aaa6a3eb5

SHA1
e2a5fde0654580cd37701e54d3ffb426c5760bb3

SHA256
6d72bd0fe17e5434806ed760b0eeb2235cb1312ebb4d1783b01a95cccc1de650

SHA512
588de7a8b245efb963d4557d64385bad1f7cee66d6971c9b593e7b2ba99c45ff18461aec94c34535468626c6bae6e8bc0915912d925d2acb701c036d6026fa12

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.5MB

MD5
1fb7ef07568deb98776d7daafe0aeb04

SHA1
c7a53385bb2842767b1dfce54df757fff4d14c76

SHA256
02f5f25ad6d464cc3b8263b7b2a586d6f6326369191913caf79ee8d80067007c

SHA512
c6b768aeba68876910f552e95202fe7e2d6a68dba0a24b0aaffe193a78d6974e81808f39d7d836fb936284d257475a860cb8d629f26ea54330faf49b000f4cef

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
f5a9bd8b0f3f56b3d817943a30983737

SHA1
bb72594bb2701d0e951146c710f7a679634dc7e7

SHA256
cc8f12590e6179df6988728e13652807ca4e367802fa42bd427628bd9d9f4c12

SHA512
7690e588e4db3c36cf64b3ab4342c0309965286a9f03c8e1ef50ac45e02242b88f17e2812b68197386ccc2d99a91714c3043b208c9794c330c32791c9505f2ab

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
8323eb783d4b3475bc1107f7b22fe30a

SHA1
8b61ba2d4ceddcce64913e45b0b3aaedba641153

SHA256
b04e4a8229ad76f418899a184586a34f1da04653efdd8f0386b76fe7282bd7c4

SHA512
a6e5fa59549dd9f848741b7c5e0e99e3efd1ac639e61a1a430fe7a62e6f13bf625fc22d619b29e9319f0bddd46eda6bd61057d4afcde7c846a72bf6e4ef79972

Download Submit
\??\pipe\crashpad_3748_XHKRNJOSPKPAZTAI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/860-321-0x0000000140000000-0x0000000140236000-memory.dmp

Filesize
2.2MB

Download
memory/1040-318-0x0000000140000000-0x0000000140220000-memory.dmp

Filesize
2.1MB

Download
memory/1148-320-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1148-76-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1148-82-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1148-668-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1264-324-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/1540-88-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1540-100-0x0000000140000000-0x0000000140236000-memory.dmp

Filesize
2.2MB

Download
memory/1544-21-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/1544-27-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1544-18-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/1544-0-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/1544-7-0x00000000020A0000-0x0000000002100000-memory.dmp

Filesize
384KB

Download
memory/1648-330-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1848-341-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1876-333-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2052-332-0x0000000140000000-0x00000001401FD000-memory.dmp

Filesize
2.0MB

Download
memory/2180-579-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2180-331-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2420-658-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/2420-40-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/2420-31-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2420-37-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2484-346-0x0000000140000000-0x000000014022D000-memory.dmp

Filesize
2.2MB

Download
memory/2484-669-0x0000000140000000-0x000000014022D000-memory.dmp

Filesize
2.2MB

Download
memory/3060-44-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3060-52-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3060-50-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3380-325-0x0000000000400000-0x00000000005FE000-memory.dmp

Filesize
2.0MB

Download
memory/3944-55-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/3944-63-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3944-61-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/3944-97-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3944-85-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4448-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4504-339-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4544-338-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/4588-337-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/4680-347-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4680-670-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4828-342-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4968-72-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/4968-66-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/4968-319-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4968-492-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5076-10-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5076-602-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5076-25-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/5076-19-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5812-534-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5812-597-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5908-544-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5908-673-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6008-559-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6008-588-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6108-569-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6108-678-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download